PODCAST: Netsparker advances penetration testing 2.0 – automated web app vulnerability scanning

By Byron V. Acohido

A dozen years ago, or so, Ferruh Mavituna was doing very well as a lead penetration tester at a prominent cybersecurity consultancy when his frustration level began to spike.

Mavituna had access to the best tools available to hunt down latent vulnerabilities in web applications. And yet, all too often for Mavituna’s tastes, the tools spat out “false positives” – false alerts to vulnerabilities that really did not exist. Or sometimes the tools would simply overlook security holes that would later surface.

Related article: Cross-site scripting attacks plague web apps.

Believing he could do much better, Mavituna spent a few years doing R&D and then in 2009 launched Netsparker to introduce a new type of automated web vulnerability scanner. Today Netsparker’s automated scanner is used by the likes of Samsung, NASA, Skype, ING and Ernst & Young.

I had a chance to visit with Mavituna at RSA Conference 2018 recently in San Francisco. The company, which is headquartered in the U.K., had just announced receipt of $40 million in financing from  Turn/River Capital, a San Francisco-based growth and private equity fund. The cash infusion will be used to accelerate marketing and expand into more geographical markets.

Just last week, Netsparker received the prestigious Queen’s Award for Enterprise. To qualify the company had to demonstrate steep year-on-year growth  in overseas sales three years running, or substantial year-on-year growth over six years.

Mavituna is frustrated no longer. We discussed how Netsparker’s web vulnerability scanner came along at just the right moment, as the pace of developing web apps in support of ‘digital transformation’ was about to accelerate dramatically. For a full drill down, please listen to the accompanying podcast. Here’s a synopsis, edited for clarity and length:

LW: You just decided to build a better mouse trap?

Mavituna: Kind of, yes. I said, ‘look we should have better tools as penetration testers.’ The idea was not to replace humans. The idea was to find, what could be found, automatically. And one of the problems was a problem that is not unique to application security. It’s the general consensus that false positives are not solvable, so just learn to live with it. I didn’t like that.

LW: The investment capital you’ve just received suggests there may be strong demand for a tool like yours.


Mavituna: Let’s look at the bigger picture. If you look at the last decade and a half, what you see is very obvious: web applications are taking over. If you think about the top 50 tech companies, almost every single one of them have web applications; think of every single one of the consumer facing applications and all of that.  And the second kind of applications are mobile applications, which are designed to talk to the Web backend, where the actual private data is stored. So what has happened is we’ve moved from an on-premises based network environment to a very cloud-based, on-demand, SaaS-based, application-driven environment revolving around consumer culture.

LW: So all the action is not just on premises, it’s also on web servers, many of them supplied by Amazon Web Services or whoever.

Mavituna: That’s it. So the attack surface has shifted. We used to talk about how someone breached the firewall because the configuration was wrong. I can’t remember the last time I heard someone breached a firewall, that just doesn’t happen anymore. All of the attackers have moved to this much bigger attack surface: web applications. And that’s why we’ve been seeing so many data breaches in the last five years or so, and we’re just going to see more and more.

LW: I’m wondering if the bad guys are using automation tools, as you are —  to search for these vulnerabilities.

Mavituna: They definitely do. I don’t think they’re consciously thinking about how web applications are so popular and that’s why it’s easier for them to hack. If you’re a bad guy this is just what you do. You go around and look for vulnerabilities, and it results in really insane data breaches, such as Equifax . . . The web application attack surface is so big that we’re now seeing all these problems. And this is the problem we started out to solve about 9 years ago.

LW: Perhaps you were ahead of curve.

Mavituna: Definitely ahead of the curve. At the time we started the application security problem wasn’t this big, but we knew it was going to be even bigger. It was obvious. However, about five years ago, we started seeing another trend. So everyone has web applications and needs security, but the new trend is they have not only one application, they have 50 applications, they have hundreds of applications, they have thousands of applications. That’s another challenge; how do we scale to that level. That’s what we started working on five years ago. And that’s why we’ve positioned ourselves as being really important to enterprise-level application security and also why we’ve received this investment.

LW: From what you’ve described this sounds like it’s part of the bigger scheme of digital transformation. Is it?

Mavituna: Definitely. We fit into the movement to the cloud, rapid deployment, and everything moving to mobile applications. We help solve the security problems. When it comes to DevOps and introducing security into SDLC, those are things we’ve moved into, as well. We’ve always know security is a  process. You need to start doing security for new developments and continuing doing security even after production and after you’ve deployed the application. So now we are integrated into SDLC, software development lifecycle.

LW: So that idea is  to do a vulnerability scan when the developer starts creating the software?

Mavituna: That’s correct. So when a developer writes a new piece of code, we will find the vulnerabilities in that piece of code within 45 minutes. What happens today in the majority of the cases is a developer develops a piece of code and it gets pen tested two months down the line. That’s when they get feedback about vulnerabilities. So it’s kind of too late. And now the developer has made that mistake ten other places in the basic application.

LW: So developers, who want to move as fast as possible, get the wisdom of doing this? Do CIOs get it ?

Mavituna: They do. The bigger the enterprise, the better they understand it. They realize if they don’t find the vulnerabilities early, then they will have to do it after production, after deployment, after when they go live. And when they go live, if they are lucky, some white hat security researcher  will tell them, ‘Hey, you’ve got this vulnerability.’ If they’re unlucky, they will be hacked, their web site will be defaced, or worse, all of their  data will be stolen.

LW: Is it’s a choice of facing bug bounty hunters or malicious hackers.

Mavituna: Correct. It’s in their favor, by all means, to address this. There’s plenty of research on this. If you address a bug early it can be up to 40 times cheaper, than addressing it later. So they understand this very well  because they’re paying the price today.

LW: Is the basic notion to bake security into the fabric of the web applications?

Mavituna: The technical term we use is to call it Secure Software Development Lifecycle. This means integrating security into your development lifecycle and also when you go into deployment. You’re not blocking anything. You’re not saying ‘we cannot go live before we do a security test,’ because you’ve been security testing all along. So you can hit your deadlines. So that’s definitely how it’s supposed to be. And we see that this is gaining way more traction than it used to, compared to last couple of years.

(Editor’s note: Last Watchdog has supplied consulting services to Netsparker.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone