Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Launching an automated web application security scan is not enough on its own.
Maintaining a secure web application is a broader and more challenging process. Thanks to
Netsparker’s advanced technologies, discovering issues in a web application and fixing
them is easier than ever.
Netsparker will help you with default options and explanations. But you also need to gather
some detailed information about your web applications. This topic will help you prepare, so
that you can set the correct options for your Netsparker scan.
Before launching a scan, it's best to conduct a mental inventory. The answers will help you
to optimize your Scan Policies.
Are you aware of all your online collateral, web applications and services?
The most vulnerable components of a web application could be the login forms and
the input fields (which are reported in the Knowledge Base once a scan has been
completed). Have you checked your websites to determine if there are any web
forms or input areas? You will need them for setting form authentication or excluding
them from the Scan Scope. Excluding components will be very useful in such cases.
Netsparker carries out a large number of attacks which may negatively affect your
web application if the parameters are not set properly. For instance, if there is a mail
form on your web application, Netsparker will send requests on that form and you
may receive many unwanted emails..
After learning which technologies and other elements exist on the web application, next you
will start configuring the scan.
The duration of a web application security scan depends on various factors. To keep the
duration short, you can optimize a scan by configuring some of the settings. For even more
accurate scan results, you should configure the scan further. You can configure the
following options:
Crawling Options
Scan Scope
Website Authentication
Scan Policy
Before scanning your website, the target host must be ready for the test. Ensure that the
target host stays online during the scanning process. In addition, you can use the Pause
and Stop features. To avoid any service breakdowns, you can use the Scan Time
Window to set the time for Netsparker to scan the target URL.
Think of your web applications as an unsecured back door into your business. Modern web
applications let users interact with the host’s network or server. Poor coding and defective
hardening policies may negatively affect the web application security. If the web application
is not developed with the relevant security standards, it can be manipulated by exploiting
vulnerabilities and misconfigurations.
In the Netsparker Standard edition, there are also built-in security testing tools such as
HTTP Request Builder, ViewState Viewer, and Encoding and Decoding Tools. It also has a
report generator that allows the user to export the details of the scan results. Netsparker
can be easily integrated into your SDLC, DevOps and other environments to help keep your
web applications secure.
For further information, see What is Netsparker? and Integrating Netsparker Enterprise
into Your Existing SDLC.
If you have a Netsparker edition, you probably have already performed a scan of your web
application. Previous scans make you aware of the security development process. Please
compare the old and new scan results, and review the newly discovered issues.
You can also choose the security test type for specific vulnerabilities.
Incremental scans help you save time. Instead of scanning the web application, you
can just scan the new pages added since the last scan.
You can integrate an issue tracker with Netsparker to help you manage and maintain a list
of all the issues at each stage of the SDLC (Software Development Life Cycle).
Fixing Issues
Attackers use different methods to hack web applications. Every day brings the potential for
a new attack. Scheduling and performing periodic security scans are vital. Each scan may
discover new vulnerabilities in your web application. If vulnerabilities are detected, you need
to fix them as quickly as possible and then re-test them with Netsparker. At this point,
Netsparker checks whether the issues are properly fixed. If so, they are marked as
resolved. This process needs to be conducted continuously so that the security of your web
applications is maintained.
The main objective of a security scan is to detect issues and fix them. Netsparker lets you
retest the issues to check if they are fixed or not. Instead of starting a full scan, you can
retest only the fixed issues.
In Netsparker Standard, you can retest a single issue or multiple issues at once. In
Netsparker Enterprise, you can retest all issues. Netsparker Enterprise automatically
checks the issue. If it is fixed as intended, the issue will be marked as Fixed. If not, the
issue will be assigned back to the Assignee. If you are sure that the issue is a false positive,
you can mark it as a False Positive. You can also mark the issue as Accepted Risk if you
are aware of its impact. And, finally, you can manually mark an issue as Fixed
(Unconfirmed).
Generating Reports
Reporting is the most important step in the web application security scanning process.
Netsparker can generate reports based on relevant regulations. If you want your web
application to be compliant with ISO 27001, generate an ISO 27001 Compliance Report to
check for specific vulnerabilities and apply the correct remedies.
Netsparker Enterprise On-Demand also has a PCI compliance feature that enables you to
automate most of the process and generate approved PCI compliance reports. When a PCI
scan is completed, websites that meet the standard will receive an approved compliance
report. If the website fails, you can fix the listed vulnerabilities and retest them.
Netsparker also enables you to create custom reports (see Custom Report Policies). This
means you can change the vulnerability details, classification numbers, actions to take or
add the logo of your organization.
Report Templates
In Netsparker, you can generate and download a series of various types of individual scan
reports, including compliance reports from a series of Report Templates.
In Netsparker Enterprise and Netsparker Standard, scan reports are accessed differently:
In Netsparker Enterprise, scan reports are accessed from the Recent Scans window.
In Netsparker Standard, scan reports are downloaded from the Reporting tab, along
with Lists.
Report Template Description
New Report Template This is a Netsparker Standard only feature that enables you to customize
and name your own report template, using one of the other report
templates as a Base Template.
Detailed Scan Report This is a detailed report that outlines scan details such as request,
response, and vulnerability descriptions, including information on the
impact of the vulnerability, remedy procedure, classifications, and proof
URLs. This report also includes a summary of which settings were used.
Executive Summary This is a brief report that includes recommendations, and summaries
Report based on the most recent scan of the website.
HIPAA Compliance This is a report that lists the vulnerabilities included in HIPAA
Report standards, along with their details.
ISO 27001 This is a report that outlines the vulnerabilities included in the ISO
Compliance Report 27001 standard, along with their details.
OWASP Top Ten This is a detailed report that outlines the OWASP Top Ten 2013
2013 Report vulnerabilities, along with their details.
OWASP Top Ten This is a detailed report that outlines the OWASP Top Ten 2017
2017 Report vulnerabilities, along with their details.
PCI DSS Compliance This is a report that lists the vulnerabilities that are listed in the PCI
Report classification, along with their details.
SANS Top 25 Report This is a detailed, Netsparker Standard only, report that outlines the
CWE/SANS Top 25 vulnerabilities, along with their details.
F5 BIG-IP ASM WAF This is a report that lists the vulnerabilities according to the BIG-IP
Rules ASM WAF Rules.
ModSecurity WAF This is a report that lists the vulnerabilities according to the
Rules ModSecurity WAF Rules.
For further information on how to modify the way vulnerabilities are reported during a scan,
and report them to match your organization's security policies, see Custom Report
Policies.
For further information on how to generate and download Vulnerabilities Lists, as well as
Scanned URLs and Crawled URLs lists in both Netsparker Enterprise and Netsparker
Standard, see Lists.
3. Next to the relevant scan, click Report. The Scan Summary window is displayed.
4. Click Export. The Export Report dialog is displayed.
5. From the Report dropdown, select the relevant report.
6. From the Format dropdown, select an option.
If you select Comparison Report in step 1, the following additional steps apply.
10. Select the relevant file, and click Open. The report opens immediately.
How to Use Your Company Logo in a Report in Netsparker Standard
Built-In Reports
Netsparker has several built-in reports that provide you with both an overview and an in-
depth look at the security state of all your websites and web applications.
It also has a Reporting tool that allows you to generate your own statistical reports,
allowing you to better manage the security of all your web applications.
You can also export the scan results as either a HTML or PDF Detailed Scan Report,
or several other report types such as a list of all identified vulnerabilities in XML
format.
From the global, websites group or single website dashboard in Netsparker Enterprise you
can get a good overview of the security state of all your websites.
For further information on reports available on the Dashboard, see Viewing the Global
Dashboard in Netsparker Enterprise.
The Trend Matrix Report allows you to see correlated trending data about the status of the
identified vulnerabilities throughout several scans. It will provide you with detailed
information about every vulnerability that was identified on a single website, such as when it
was found, fixed, if it revived in future scans etc.
You can access the Trend Matrix report from the Scan Summary Dashboard in Netsparker
Enterprise, which displays scanning information for a single website (see How to View the
Scan Summary Dashboard in Netsparker Enterprise).
From the Trend Matrix Report, you can see when a vulnerability was identified, fixed and
maybe even identified again in later scans. Therefore, apart from allowing you to get an
overview of the security state of a website, the trending report also allows you to easily track
the progress and work of the developers.
Scan Results Report
Once a web security scan is ready you can also access the report of that scan in both
Netsparker Enterprise and Netsparker Standard, from where you can see all the technical
details about every identified vulnerability.
How to View the Scan Results Report in
Netsparker Enterprise
https://www.netsparker.com/support/creating-new-scan-netsparker/