© 2016 Denim Group – All Rights Reserved

Optimizing Your Application

Security Program with

Netsparker and ThreadFix

October 19, 2016

Ferruh MavitunaProduct Architect and CEO, Netsparker Ltd.

Dan CornellCTO, Denim Group

© 2016 Denim Group – All Rights Reserved

Agenda

• State of Application Security

• Netsparker Overview

• ThreadFix Overview

• ThreadFix / Netsparker Integration

1

© 2016 Denim Group – All Rights Reserved 2

© 2016 Denim Group – All Rights Reserved

Netsparker automatically finds and reports security issues in web sites and web services.

Automated Web Application Security

Netsparker DesktopWindows only software, easy to install and use.

Netsparker CloudSaaS version of Netsparker. Uses the very same engine, scalable and comes with enterprise features.

3

© 2016 Denim Group – All Rights Reserved

Netsparker Desktop

Windows Software

It simulates a real attacker to find vulnerabilities in web applications automatically.

Allows users to carry out advanced security tasks and especially useful for security consultants and in house security teams.

4

© 2016 Denim Group – All Rights Reserved

Supports Authentication

Netsparker’s Core Features

Ease of UseSupports Modern

WebProof Based

Scanning

Integrated ExploitationSupports

Mobile/Web Services

unique feature

5

© 2016 Denim Group – All Rights Reserved

Netsparker Cloud

Netsparker Cloud

Netsparker – Scalable, can scan thousands of websites within hours.

Designed for enterprises, big teams and big datasets in mind.

API for integrating with other solutions, internal products.

On-premises or managed.

ScalableDesigned forEnterprise

API

unique feature

6

© 2016 Denim Group – All Rights Reserved

Security Testing Process

7

© 2016 Denim Group – All Rights Reserved

Automated Security Testing Process

2

3

Configure Custom 404, Authentication, URL Rewrite Rules etc.1

Configure and Start the Scan

If there is a Local File Inclusion, exploit it safely to see that LFI is real and not a False Positive, if it’s SQL Injection, safely read data from the database. Repeat this for every vulnerability to eliminate false positives.

Check if the results are correct

Prioritize important issues, communicate with the developers and make necessary changes. Deploy the new version of the application and Re-test.

Take Action

8

© 2016 Denim Group – All Rights Reserved

Process with Netsparker & ThreadFix

2

3

URL Rewrite, will be discovered dynamically, Custom 404 will be handled automatically, authentication only requires you to enter URL, username and password. Supports SPA (Single Page Applications) automatically.

1

Start your scan quickly

Netsparker will give you the proof

Now you know which vulnerabilities are real, without spending any more time on them, pass them to your development team to start addressing these issues immediately.

You don’t want to leave your website exposed during this process. Now import these issues into ThreadFix and generate rules for your WAF without worrying about False Positives!

Take Action

Proof Based Scanning

Get the results with proof. If there is a SQL Injection, Netsparker will extract some data from the target web application’s database, if there is a LFI, Netsparker will give you a file from the target system etc. This applies to all direct impact vulnerabilities.

9

© 2016 Denim Group – All Rights Reserved

Proof Based ScanningFalse Positive or not?

10

© 2016 Denim Group – All Rights Reserved

A scanner you can

{ }

11

© 2016 Denim Group – All Rights Reserved

Scalability

How can you scan 1,000 applications? More importantly how can you address 10,000 issues in these applications?

12

© 2016 Denim Group – All Rights Reserved

Netsparker Cloud & ThreadFix

In 24 Hours you can find & hot-patch 10,000 vulnerabilities

Netsparker Cloud can scan thousands of websites under 24 hours.

API

Import the results to ThreadFix

Because results will be clearly flagged as CONFIRMED and 100% real, now you can just generate WAF rules without worrying about False Positives.

Congratulations you have improved the state of your web application security significantly just under 24 hours.

You still need to fix all these issues and not rely on WAF but the improvement will be huge.

13

© 2016 Denim Group – All Rights Reserved

ThreadFix Overview

• Create a consolidated view of your

applications and vulnerabilities

• Prioritize application risk decisions based on data

• Reduce risk and provide protection via virtual patching

• Translate vulnerabilities to developers in the tools they are already using

14

© 2016 Denim Group – All Rights Reserved

ThreadFix Overview

15

© 2016 Denim Group – All Rights Reserved

Create a consolidated

view of your

applications and

vulnerabilities

16

© 2016 Denim Group – All Rights Reserved

Application Portfolio Tracking

17

© 2016 Denim Group – All Rights Reserved

Vulnerability Import

18

© 2016 Denim Group – All Rights Reserved

Vulnerability Consolidation

19

© 2016 Denim Group – All Rights Reserved

Prioritize application risk

decisions based on data

20

© 2016 Denim Group – All Rights Reserved

Vulnerability Prioritization

21

© 2016 Denim Group – All Rights Reserved

Reporting and Metrics

22

© 2016 Denim Group – All Rights Reserved

Reduce risk and

provide protection

via virtual patching

23

© 2016 Denim Group – All Rights Reserved

WAF Virtual Patching

24

© 2016 Denim Group – All Rights Reserved

Translate vulnerabilities to

developers in the tools they

are already using

25

© 2016 Denim Group – All Rights Reserved

Defect Tracker Integration

26

© 2016 Denim Group – All Rights Reserved

Questions and Contact

ThreadFix

www.threadfix.it

Netsparker

www.netsparker.com

27