With the uptake of cloud computing and advancements in browser technology, web applications have become a core component of business processes, and a lucrative target for hackers. Organizations must make web application security not only a priority, but a fundamental requirement. Enter Acunetix Vulnerability Scanner! A Firewall is not enough Firewalls, SSL and hardened networks are futile against web application hacking. Web attacks are carried out over HTTP and HTTPS; the same protocols that are used to deliver content to legitimate users. Web applications are often tailor-made and tested less than off-the-shelf-software; the repercussions of a web attack are often worse than traditional network-based attacks.

• Detects over 4500 web application vulnerabilities.
• Scan open-source software and custom-built applications.
• Detects Critical Vulnerabilities with 100% Accuracy.

Technology Leader in Automated Web Application Security Acunetix are the pioneers in automated web application security testing with innovative technologies including:

• DeepScan Technology – for crawling of AJAX-heavy client-side Single Page Applications (SPAs).
• Industry’s most advanced SQL Injection and Cross-site Scripting testing – includes advanced detection of DOM-based XSS.
• AcuSensor Technology – Combines black box scanning techniques with feedback from its sensors placed inside source code.

Fast, Accurate, Easy to Use Multi-threaded, lightning fast crawler and scanner that can crawl hundreds of thousands of pages without interruptions.

• Highest detection of WordPress vulnerabilities – scans WordPress installations for over 1200 known vulnerabilities in WordPress’ core, themes and plugins.
• An easy to use Login Sequence Recorder that allows the automatic scanning of complex password protected areas.
• Review vulnerability data with built-in vulnerability management. Easily generate a wide variety of technical and compliance reports.

While today’s malicious attackers pursue a variety of goals, they share a preferred channel of attack—the millions of custom web, mobile, and cloud applications companies deploy to serve their customers. AppSpider dynamically assesses these applications for vulnerabilities across all modern technologies, provides tools that speed remediation and monitors applications for changes. Keep your applications safe and secure—now and moving forward. KNOW YOUR WEAK POINTS AppSpider automatically finds vulnerabilities across a wide range of applications— from the relatively simple to the most complex—and it includes unique capabilities and integrations that enable teams to automate more of the security testing program across the entire software development lifecycle (SDLC), from creation through production. Coverage is the first step to scanner accuracy. Scanners were originally built with a crawl and attack architecture, but crawling doesn’t work for web services and other dynamic technologies. AppSpider can still crawl traditional name=value pair formats like HTML, but it also has a Universal Translator that can interpret the new technologies being used in today’s web and mobile applications (AJAX, GWT, REST, JSON, etc.). With AppSpider, you can: • Close the coverage gap with our Universal Translator • Intelligently simulate real-world attacks • Continuously monitor your applications • Stay authenticated for deep assessment AppSpider includes interactive actionable reports that prioritize the highest risk and streamline remediation efforts by enabling users to quickly get to and analyze the data that matters most. With one click, you can drill deep into a vulnerability to get more information and replay attacks in real-time. Sifting through pages and pages of vulnerabilities in a PDF report takes too much time. AppSpider provides interactive, actionable reports that behave like web pages with an intuitive organization and links for deeper analysis. The analysis doesn’t have to be tedious: Findings are organized and consolidated by attack types (XSS, SQLi, etc.), and with one click, you can drill deep into a vulnerability to get more information. AppSpider’s sophisticated reports reduce remediation time and streamline communication with developers. With AppSpider, you can: • Conduct deeper analysis with interactive reports • Quickly replay web attacks • Categorize applications for easy reporting In order to improve your overall security posture, you need a high-level view of your application security program that enables you to see where things stand. AppSpider enables centralized control, automation, and interoperability over all aspects of your enterprise web application security program, including continuous scanning configuration, user permissions, scheduling, and monitoring. In addition, AppSpider includes trends and analyze data to help collaborate with all stakeholders toward improved security posture. Time is critical when remediating vulnerabilities. Using innovative automated rule generation, AppSpider’s defensive capabilities help security professionals patch web application vulnerabilities almost immediately—in a matter of minutes, instead of days or weeks. Without the need to build a custom rule for a web application firewall (WAF) or intrusion prevention system (IPS), or the need to deliver a source code patch, our software allows you the time to identify the root cause of the problem and fix it in the code. With AppSpider, you can: • Manage and control application security programs • Automate targeted virtual patching • Meet compliance requirements • Integrate into your DevSecOps workflow

Blade Tool Output Integration Framework (TOIF) is a powerful software vulnerability detection platform. It provides a standards-based environment that integrates the outputs of multiple vulnerability analysis tools in a single uniform view with unified reporting. It leverages OMG Software Assurance Ecosystem standards, Software Fault Patterns (SFPs), and Common Weakness Enumerations (CWEs) Composite Vulnerability Analysis & Reporting. Blade TOIF’s  plug-and-play  environment  provides  a  foundation  for  composite  vulnerability  analysis  by  normalizing,  semantically  integrating,  and  collating  findings from existing vulnerability analysis tools. Improves breadth and acccuracy of off-the-shelf vulnerability analysis tools. Provides powerful vulnerability analysis and management environment for analyzing, reporting and fixing discovered weaknesses. Seamless Integration. Out-off-the-box, Blade TOIF seamlessly integrates into the Eclipse Development Environment and with five open-source vulnerability analysis tools:

• CppCheck
• RATS
• Splint
• SpotBugs
• Jlint

It  enables  strategic  use  of  commercial  and  open-source  vulnerability  analysis  tools and, in conjunction with its unified priority reporting, reduces the overall costs of performing a vulnerability assessment by 80%.

Blade TOIF Integration

Integrates into Eclipse development environment:

• Execute Blade TOIF (desktop deployment) from within Eclipse with progress bar
• Automatically see defect findings in Eclipse
• Use the “TOIF Analyze” easy button in the Eclipse toolbar and in the Blade TOIF main menu
• Run it on a sub-set of project files/ directories
• Filter the defect findings listed in the Blade TOIF Findings view, based on the selected project data in the Project Explorer in Eclipse

Blade TOIF Key Capabilities

• Integrates multiple vulnerability detection tools and their findings as “data feeds” into a common repository
• Addresses wider breadth and depth of vulnerability coverage
• Common processing of results
• Normalizes and collates “data feeds” based on discernable patterns described as Software Fault Patterns (SFPs) and CWEs
• Provides one prioritized report with weighted results across tools/vendors
• Uses an RDF repository and provides external Java API for additional analysis capabilities
• Integrates out-of-box with: CppCheck, RATS, Splint, SpotBugs and Jlint
• Defect Description view provides information related to the cluster, SFP, and CWE description of the selected defect instance in the Blade TOIF Findings view
• Defect findings, including citing information, can be exported to *.tsv file and subsequently imported to another Blade TOIF project
• Installation wizard, auto-detection and configuration of open source software (OSS) static code analysis (SCA) tools
• Supports load build integration to import results generated from the server/load build to the desktop

Combining Blade TOIF with our automated risk analysis platform, Blade Risk Manager, provides a comprehensive cybersecurity risk management solution that includes:

• Automated risk analysis
• Automated vulnerability detection and analysis
• Traceability
• Measurement and prioritization that make it easy to plan how to best leverage the risk management budget and resources for greatest impact

Even the best detection technology cannot return the data, money or reputation that is lost in a breach. While a layered approach that addresses the entire attack cycle is a must, prevention still has the highest return on investment. BUFFERZONE provides a better way to reduce the attack surface and protect the most vulnerable part of the organization – employee endpoints. How it Works? The BUFFERZONE virtual container protects any application that you define as insecure including web browsers, email, Skype, FTP and even removable storage. BUFFERZONE is transparent to both the application and the end-user, yet completely seals off threats from the rest of the computer. Unlike conventional endpoint detection solutions that depend on signatures or behavioral profiles to detect malicious activity, BUFFERZONE simply isolates malware regardless of whether it is known or new, and prevents it from doing any harm. The BUFFERZONE Endpoint Security solution includes:

• Virtual Container: A secure, virtual environment for accessing content from any potentially risky source including internet browsers, removable media and e-mail.
• Secure Bridge: A configurable process for extracting data from the container to enable collaboration between people and systems while ensuring security and compliance.
• Endpoint Intelligence: Detailed reporting and integration with SIEM and Big Data analytics to identify targeted attacks.

Features: Virtual Containment On endpoints running the BUFFERZONE agent, access to external, untrusted sources such as the internet and the effects of such access are completely isolated inside a virtualized container. Potential threats are thus isolated from the endpoint’s native resources from which trusted organizational resources are accessed, making it impossible for threats to in any way harm the endpoint or the rest of the organization. A configurable, centralized policy determines application containment. Network Separation Endpoint-based network segmentation. Define separate firewall-type rules for contained and uncontained applications, preventing uncontained, trusted applications from accessing risky destinations such as the internet and preventing contained, untrusted applications from accessing sensitive, internal organizational network destinations. Email Attachment Containment Contains attachments from external, untrusted sources, protecting the endpoint and trusted organizational resources from the attachments. Emails arriving from outside the organization are saved normally (uncontained) on endpoints but are subsequently opened on any protected endpoint in a BUFFERZONE container. DLP Features Several BUFFERZONE features can contribute to an organizational data-loss prevention (DLP) strategy by blocking information from exiting the organization by various paths:

• Containment Features. Prevent uncontained applications, which can access organizational resources, from accessing the internet; and prevent contained applications, which can access the internet, from accessing organizational resources.
• Hidden Files. Set file locations, that may contain sensitive data, to be hidden from contained applications.
• Upload Blocker. When Upload Blocker is enabled, contained browsers can download to and upload from only a designated folder (by default: Downloads), which is isolated from uncontained programs. This prevents browsers from uploading any files to the internet other than contained files that were previously downloaded from the internet.

BUFFERZONE Management Server (BZMS) For centralized management, you can integrate BUFFERZONE with your existing endpoint management system; or, for fuller management capabilities, use the BUFFERZONE Management Server (BZMS) to manage organizational BUFFERZONE agents, gain visibility to relevant organizational endpoints, and serve and assign organizational policy by endpoint and/or user.

Faraday was made to let you take advantage of the available tools in the community in a truly multiuser way. Designed for simplicity, users should notice no difference between their own terminal application and the one included in Faraday. Developed with a specialized set of functionalities, users improve their own work. Do you remember the last time you programmed without an IDE? What IDEs are to programming, Faraday is to pentesting.

Plugins

You feed data to Faraday from your favorite tools through Plugins. Right now there are more than 70+ supported tools. There are three Plugin types: console plugins which intercept and interpret the output of the tools you execute, report plugins which allows you to import previously generated XMLs, and online plugins which access Faraday's API or allow Faraday to connect to external APIs and databases. Supporting output from +70 tools, Faraday Platform centralizes all your efforts and gives sense to your main objectives. Providing powerful Automation Technology, it helps you reduce your findings’ life cycle by prioritizing actions and decreasing the exposure time of your assets, promoting collaboration by allowing big and small groups of people to work together. Plus, get deep insight on all your projects with just a couple clicks.

Key features

Custom Implementation. No infrastructure changes needed: implement Faraday On-prem, Cloud or Hybrid without network changes. Flexible Integrations. Import output or results from 3rd party tools and synchronize your ticketing systems (JIRA, ServiceNow) and security enhancements (2FA, LDAP) Workflows. Implement custom events by triggering actions or vulns' content in real time Deduplicate Vulns. Faraday's Global Vuln KB allows you to customize descriptions and apply them accordingly. Agents. Define and execute your own actions from different sources and automatically import outputs into your repository. Scheduler. Automate repetitive Agents' actions and check results on your Dashboard. Graphics. Get a visual representation of all your findings with just one click. Faraday Client. Solution’s  shell allows you to upload results while pentesting actively. Methodology and Tasks. Setup your own strategy, assign tasks to users for each phase and easily follow them up.

Choose the plan that best: fits your needs

Community Faraday supports the InfoSec Community around the globe by offering a free open source version that improves on daily workflows

• Feed data to Faraday from your favorite tools
• Divide projects by your own rules
• Customize your instance

Professional Designed for small pentester teamwork. Integrate and report main data generated during a security audit.

• Easily identify and sort your database
  Craft and export projects using your own templates
  Plan ahead and keep track of your goals

Corporate Operate large volumes of data and save time with the Automation Technology, reducing your findings’ life cycle

• Prioritize actions, decreasing exposure time for your assets
• Adapt strategies to customize every phase of your projects
• Integrate everything!

With a strong focus on 3rd party integration and open standards, the GSM is a best of breed security solution that enhances and supplements your security posture and allows a proactive approach to automated Vulnerability Life Cycle Management. The GSM CENO covers up to 500 IP addresses. The operational areas are small to medium enterprise IT or medium offices. GSM CENO is the solution for small to medium enterprise IT or medium branch offices.

Benefits

• Turn-key solution: operational within 10 minutes
• Powerful appliance operating system Greenbone OS with command line administration bases on a comprehensive security design
• Integrates the Greenbone Security Feed with over 69,900 Vulnerability Tests, automatically updated daily with the newest threat detection routines
• Integrated GOS-Upgrade
• Integrated Greenbone Security Assistant as central web interfaceNo limitation on number of target IP addresses (effective number depends on scan pattern and scanned systems)
• Flat-rate subscription includes the Platinum Support package, the Greenbone Security Feed and feature updates

 Supported Standards

• Network integration: SMTPS (Email), LDAP, RADIUS, DHCP, IPv4/IPv6
• Vulnerability detection: CVE, CPE, CVSS, OVAL
• Network scans: WMI, LDAP, HTTP, SMB, SSH, TCP, UDP, etc.
• Policies: Baseline security, PCI-DSS, ISO 27001Web-based interface (HTTPS)
• Scan tasks management with notes and false-positives marking
• Multi-user support
• Clustered and distributed scanning via sensor mode
• Report browsing aided by filtering, sorting, annotating and risk scoring
• Plugin framework for reports: XML, PDF, etc.
• Appliance performance overviewIntegration (API)
• Greenbone Management Protocol (GMP), secured
• All user actions of web-based interface available via API
• Easy integration with other applications using the API
• Simple automation via command line tools Administration Console Interface
• Network integration and configuration
• UpgradeScan-Application
• Scan Engine and Framework: Greenbone Vulnerability Manager (GVM)with integrated Greenbone Security Feed (GSF)

Safeguard apps with static and dynamic testing across their lifecycle In today’s increasingly sophisticated threat landscape, the ramifications of under-secured web, mobile, cloud and open source applications can be dire. And since applications can compromise security across your entire organization, adopting an application security strategy that can protect apps throughout the development lifecycle needs to be a top priority. IBM® Security AppScan® and IBM Application Security on Cloud enhance web and mobile application security, improve application security program management and strengthen regulatory compliance for organizations of any size. Dynamic analysis (DAST), static analysis (SAST) and open-source testing help you identify risks, create prioritized remediation plans, and drive precise, actionable results. Why IBM Security AppScan

• Identify and fix vulnerabilities. Reduce risk exposure by identifying vulnerabilities early in the software development lifecycle.
• Maximize remediation efforts. Classify and prioritize application assets based on business impact and identify high-risk areas.
• Decrease likelihood of attacks. Test applications prior to deployment and for ongoing risk assessment in production environments.

Immunity's CANVAS makes available hundreds of exploits, an automated exploitation system, and a comprehensive, reliable exploit development framework to penetration testers and security professionals worldwide.

Single Installation License

• includes one year of our standard monthly updates and support
• unrestricted (no target IP address limitations)
• full source code
• Supported Platforms and Installations
• Windows (requires Python & PyGTK)
• Linux
• All other Python environments such as mobile phones and commercial Unixes (command line version only supported, GUI may also be available)

Architecture

• CANVAS' completely open design allows a team to adapt CANVAS to their environment and needs.

Documentation

• all documentation is delivered in the form of demonstration movies
• exploit modules have additional information
• currently over 800 exploits

Immunity carefully selects vulnerabilities for inclusion as CANVAS exploits. Top priorities are high-value vulnerabilities such as remote, pre-authentication, and new vulnerabilities in mainstream software. Exploits span all common platforms and applications

Payload Options

• to provide maximum reliability, exploits always attempt to reuse socket
• if socket reuse is not suitable, connect-back is used
• subsequent MOSDEF session allows arbitrary code execution, and provides a listener shell for common actions (file management, screenshots, etc)
• bouncing and split-bouncing automatically available via MOSDEF
• adjustable covertness level

Exploit Delivery

• regular monthly updates made available via web
• exploit modules and CANVAS engine are updated simultaneously
• customers reminded of monthly updates via email

Exploit Creation Time

• exploits included in next release as soon as they are stable

Effectiveness of Exploits

• all exploits fully QA'd prior to release
• exploits demonstrated via flash movies
• exploit development team available via direct email for support
• Ability to make Custom Exploits
• unique MOSDEF development environment allows rapid exploit development

Product Support and Maintenance

• subscriptions include email and phone support M-F 9am - 5pm EST, directly with development team
• minimum monthly updates

Development

CANVAS is a platform that is designed to allow easy development of other security products. Examples include DSquare's D2 Exploitation Pack, Intevydis' VulnDisco, Gleg's Agora and SCADA.
CANVAS Early Updates Program Immunity CANVAS is heavily QA'd and on a monthly release cycle, however a select number of Immunity's clients rely on up-to-the-minute vulnerability information as Immunity produces material. Immunity is often first to market with new exploits and proof of concept exploit code following "Microsoft Tuesdays". Until they are included in the next reliable monthly release of CANVAS Professional, these codes are available through the CANVAS Early Updates program. This code is often proof-of-concept early research, however its early availability allows our research team to share its results as soon as it is produced. CANVAS Early Updates customers include IDS vendors, vulnerability assessment vendors, and professional services organizations. End-users are provided with an increased level of confidence in our subscribers' products as they are able to verify protection or existence of a new vulnerability within hours of its announcement.

Netsparker Enterprise is specifically designed to help enterprises scan and manage the security of hundreds and even thousands of websites in a few hours, with no need to install any new hardware or software.
Netsparker Enterprise is used to integrate into the Software Development Lifecycle, DevOps and live environments to scan thousands of web applications and web services as they are being developed or run in live environments. It is available either hosted or as an on-premises solution.
The main features of Netsparker Enterprise:

• Proof-Based Scanning

• Integration Capabilities

• Pen Testing Tools

• Heuristic URL Rewrite Detection

• Advanced (Out of Band) Vulnerability Detection

• Vulnerability Management System

• Multi-User Support

• Trend Matrix Reports

• Dedicated Tech Support

• Custom Integration

Netsparker Standard is used to conduct manual analysis and exploitation, and is ideal in situations when more advanced testing is required, such as on an individual component that requires user input. The main features of Netsparker Standard:

• Search for vulnerabilities in any type of website automatically. Netsparker Standard uses a Chrome based crawling engine. It can crawl and scan any type of modern and custom web application including HTML5, Web 2.0 and Single Page Applications (SPA).

• Save Time & Costs with Proof-Based Scanning™. Netsparker pioneered Proof-Based Scanning™, a technology that automatically verifies identified vulnerabilities, demonstrating that they are real and not false positives.

• Highest scanning accuracy. The Netsparker web application security uses the Netsparker Hawk vulnerability testing infrastructure to identify even the the most complex vulnerabilities, such as Server Side Request Forgery (SSRF) and Out-of-Band and Second Order vulnerabilities.

• Ideal for manual web application scanning. Every feature and aspect of the scan, including automated ones, is customizable (custom cookies, anti-CSRF tokens, custom HTTP headers and more).

• Generate Any Type Of Report For Compliance And Management. The Netsparker web application security scanner has a built in reporting tool to help you generate any type of report you want, including compliance reports for PCI DSS, HIPAA and OWASP Top 10.

Netsparker Standard includes:

• Proof-Based Scanning
• Integration Capabilities
• Pen Testing Tools
• Heuristic URL Rewrite Detection
• Advanced (Out of Band) Vulnerability Detection

Netsparker Team is specifically designed to help enterprises scan and manage the security of hundreds and even thousands of websites in a few hours, with no need to install any new hardware or software. This solution includes access to both Netsparker Standard and Netsparker Enterprise.
Netsparker Team is used to integrate into the Software Development Lifecycle, DevOps and live environments to scan thousands of web applications and web services as they are being developed or run in live environments. It is available either hosted or as an on-premises solution.
The main features of Netsparker Team:

• Proof-Based Scanning

• Integration Capabilities

• Pen Testing Tools

• Heuristic URL Rewrite Detection

• Advanced (Out of Band) Vulnerability Detection

• Vulnerability Management System

• Multi-User Support

• Trend Matrix Reports

Audit the Security of Your Websites with Netsparker Web Application Security Scanner Netsparker finds and reports web application vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) on all types of web applications, regardless of the platform and technology they are built with. Netsparker’s unique and dead accurate Proof-Based ScanningTM technology does not just report vulnerabilities, it also produces a Proof of Concept to confirm they are not false positives. Freeing you from having to double check the identified vulnerabilities. Netsparker Desktop Netsparker Desktop is available as a Windows application and is an easy-to-use web application security scanner that uses our advanced Proof-Based ScanningTM technology and has built-in penetration testing and reporting tools. Netsparker Cloud Netsparker Cloud is a scalable multi-user online web application security scanning solution. It uses our unique Proof-Based ScanningTM technology and has built-in enterprise workflow tools to help enterprises scan and manage the security of 100s and 1000s of websites.

• Automatic Detection. Automatically detect XSS, SQL Injection and other web application vulnerabilities.
• Dead Accurate. Use your time fixing vulnerabilities and not verifying the scanner’s findings.
• Scalable. Easily scan 100s and 1000s of web applications simultaneously with a fully scalable service.
• Integration. Easily integrate web security scanning in the SDLC & continuous development systems.

Why Should You Scan Your Websites for Vulnerabilities? Businesses rely on web applications because they allow employees to access critical data from anywhere at anytime, enabling them to collaborate with business partners and be more productive.  Business-focused web applications tend to be susceptible to vulnerabilities that can be automatically detected and easily exploited. Statistics and reports from trusted sources show a constant upwards trend in successful hack attacks.  Beat malicious hackers at their own game; identify and fix vulnerabilities in your web applications before they find and exploit them. Use the Netsparker automated web application security scanners to automatically identify exploitable vulnerabilities and other security flaws that can leave you and your business exposed.

Penetration Testing as a Service

Your organization is always-on and your security should be too. NetSPI Penetration Testing as a Service (PTaaS) makes expert penetration testing team available for you when you need it. Whether it’s scoping a new engagement, parsing real-time vulnerability reports, assisting you with remediation, or keeping you compliant year round, PTaaS has you covered.

The Benefits of PTaaS

• Enhanced Reporting.Live, consumable testing results are delivered via Resolve, our vulnerability management platform, giving you a single-pane view of vulnerabilities and allows you to drill down into the data to see trend analysis year over year.

• Accelerated Remediation. Live, interactive reporting makes the path to remediation clear and easy. Integrate with your ticketing systems and remediation tools to streamline the remediation process.

• Reduced Administrative Time. Spend more time delivering value to the business, and less time managing projects. From scoping to remediation, PTaaS removes administrative hassles and makes sure your pen tests start and end on time.

• Scan Monster. Find vulnerabilities faster with NetSPI’s proprietary continuous scanning technology. Integrated with Resolve, vulnerabilities are automatically deduplicated and are verified by NetSPI’s pen testing team, bringing clarity to your results.

---

How it works?

---

Advisory Services

To fully recognize the value of your technical testing efforts and help ensure the greatest security posture for your organization, multiple Threat and Vulnerability Management (TVM) program elements need to work together harmoniously. NetSPI has developed a comprehensive framework that helps our clients thoughtfully consider the necessary elements of a TVM program.

Application Penetration Testing

NetSPI’s team of application security testing experts specialize in identifying and exploiting vulnerabilities in Web, Mobile, and Thick Applications. Whether your application is hosted internally, or in the cloud, NetSPI evaluates applications for security vulnerabilities and provides recommendations to your company with clear, actionable remediation instructions to improve your overall security posture.

Network Penetration Testing

Attack surfaces have significantly increased with the explosion of cloud and IoT. NetSPI’s penetration testing supports you in identifying unauthorized access to your protected systems. Through a combination of External, Internal, and Wireless Network penetration testing, NetSPI can test your entire infrastructure.

Cloud Penetration Testing

Cloud penetration testing services will identify security gaps in your cloud infrastructure and provide you with actionable guidance for remediating vulnerabilities and improving your organization’s cloud security posture.

Adversarial Simulation

Companies continue to invest in security solutions, training, and managed service providers without fully testing their effectiveness. Let NetSPI help you assess those investments, and better understand where to spend time and money based on a true evaluation of your baseline detection and response capabilities. Adversarial simulation services can be customized to meet your needs and help you find the answers you’re looking for through Detective Control Reviews, Red Team Operations, & Social Engineering Engagements.

Continuous Penetration Testing

NetSPI’s Continuous Penetration Testing enhances your recurring deep-dive manual penetration tests with high-quality, low-cost touch points throughout the year. Scan Monster allows your networks and applications to be scanned at any rate you decide, with all asset and vulnerability information flowing directly into Resolve. All critical vulnerabilities are immediately escalated to NetSPI’s penetration testing team and verified within 48 hours.

Integrating Peach API Security into your existing continuous integration (CI) system ensures that your product development teams receive immediate feedback on the security of your latest release. Finding vulnerabilities earlier in the product development lifecycle saves you time, money, and reputation. Organizations use Peach API Security to reveal and correct vulnerabilities in their web APIs.

Be A Hero. Every Day.

Peach API Security acts as a man-in-the-middle proxy, capturing data sent from your traffic generator and the test target. Once captured, this data is fuzz tested using company’s advanced automated web API security tool. Peach API Security makes testing a breeze. It provides meaningful data so your development team can prioritize vulnerability fixes.

How It Works

Peach API Security performs a series of security checks against your web APIs based on requirements laid out in the OWASP Top-10. By leveraging the automated testing that your development team already performs (i.e. unit tests), Peach intelligently executes a series of fuzz and passive security tests. Once configured, interactions will primarily occur through your existing build-system interfaces. Coverage of REST, SOAP, and JSON RPC web APIs are all supported. Peach API Security intelligently executes a series of fuzz tests and passive security tests on your web APIs. Comprehensive test results empower your team to mitigate security vulnerabilities. Each uncovered vulnerability includes actionable data. Leverage the power of Peach for your DevOps team. Finding vulnerabilities earlier in the product development lifecycle saves you time, money, and reputation.

CI Integration

Peach was designed to seamlessly integrate into your existing CI systems. Implemented as a step in the build pipeline, Peach blocks deployment of builds that are not secure. The results of Peach’s security tests are returned to the CI system, ensuring developers don’t have to exit their current build tools.

Testing Profiles

Configurable testing profiles allow you to balance the depth of testing with the time available to test.
Common profiles include:

• Quick – Quick testing without fuzz testing, ideal for immediate results
• Nightly – Quick testing with fuzz testing, ideal for nightly builds and quick results
• Weekly – Complete testing, ideal for major product releases and complete test results

GENERATING TEST CASES

Peach API Security acts as a man-in-the-middle proxy, capturing traffic created by your existing automated testing. Once captured, this data is fuzzed by Peach and sent to the test target. Integrations with popular automated testing frameworks make capturing traffic easy. In addition, custom traffic generators using REST API, Java, .NET, and Python are all supported. SECURITY TESTING AND COMPLIANCE Peach API Security is a comprehensive testing tool that tests against the OWASP Top-10 and PCI Section 6.5. REPORTING
Comprehensive test results empower development teams to mitigate security weaknesses. Vulnerability data is automatically returned to your CI system. Faults are treated similarly to automation failures, blocking the release of a non-secure build. This enables developers to focus on fixing code, rather than making security decisions. Each vulnerability includes actionable data including:

• Fault Message Data – Used to efficiently find and mitigate vulnerabilities
• OWASP Mapping – Identifies which OWASP Top-10 requirement failed
• Exploitability Difficulty and Impact – Helping your team prioritize vulnerability fixed

Automated crawl and scan Coverage of over 100 generic vulnerabilities, such as SQL injection and cross-site scripting (XSS), with great performance against all vulnerabilities in the OWASP top 10. Different modes for scan speed, allowing fast, normal, and thorough scans to be carried out for different purposes. Scan exactly what you want. You can perform a full crawl and scan of an entire host, or a particular branch of the site content, or an individual URL. Support for numerous types of attack insertion points within requests, including parameters, cookies, HTTP headers, parameter names, and the URL file path. Support for nested insertion points allowing automatic testing of custom application data formats, such as JSON inside Base64 inside a URL-encoded parameter. Burp’s advanced application-aware crawler can be used to map out application contents, prior to automated scanning or manual testing. Use fine-grained scope-based configuration to control exactly what hosts and URLs are to be included in the crawl or scan. Automatic detection of custom not-found responses, to reduce false positives during crawling. Advanced scanning for manual testers View real-time feedback of all actions being performed during scanning. The active scan queue shows the progress of each item that is queued for scanning. The issue activity log shows a sequential record of all issues as they are added or updated. Use the active scanning mode to interactively test for vulnerabilities like OS command injection and file path traversal. Use the passive scanning mode to identify flaws such as information disclosure, insecure use of SSL, and cross-domain exposure. You can place manual insertion points at arbitrary locations within requests, to inform the Scanner about non-standard inputs and data formats. Burp Scanner can automatically move parameters between different locations, such as URL parameters and cookies, to help evade web application firewalls and other defenses.automatically move parameters You can fully control what gets scanned using live scanning as you browse. Each time you make a new request that is within your defined target scope, Burp automatically schedules the request for active scanning. Burp can optionally report all reflected and stored inputs, even where no vulnerability has been confirmed, to facilitate manual testing for issues like cross-site scripting. Different modes for scan accuracy, to optionally favor more false positives or negatives. Cutting-edge scanning logic Burp Scanner is designed by industry-leading penetration testers. Its advanced feedback-driven scanning logic is designed to reproduce the actions of a skilled human tester. Advanced crawling capabilities (including coverage of the latest web technologies such as REST, JSON, AJAX and SOAP), combined with its cutting-edge scanning engine, allow Burp to achieve greater scan coverage and vulnerability detection than other fully automated web scanners. Burp has pioneered the use of highly innovative out-of-band techniques to augment the conventional scanning model. The Burp Collaborator technology allows Burp to detect server-side vulnerabilities that are completely invisible in the application’s external behavior, and even to report vulnerabilities that are triggered asynchronously after scanning has completed. Out of band techniques The Burp Infiltrator technology can be used to perform interactive application security testing (IAST) by instrumenting target applications to give real-time feedback to Burp Scanner when its payloads reach dangerous APIs within the application. Burp Scanner includes a full static code analysis engine for detection of security vulnerabilities within client-side JavaScript, such a DOM-based cross-site scripting. Burp’s scanning logic is continually updated with enhancements to ensure it can find the latest vulnerabilities and new edge cases of existing vulnerabilities. In recent years, Burp has been the first scanner to detect novel vulnerabilities pioneered by the Burp research team, including template injection and path-relative stylesheet imports. Clear and detailed presentation of vulnerabilities The target site map shows all of the content that has been discovered in sites being tested. Content is presented in a tree view that corresponds to the sites’ URL structure. Selecting branches or nodes within the tree shows a listing of individual items, with full details including requests and responses where available. The sitemap also shows the vulnerabilities that have been identified. Icons in the site tree allow vulnerable areas of the target to be quickly identified and explored. Vulnerabilities are rated for severity and confidence to help decision makers focus quickly on the most significant issues.

Identify application risks quickly and painlessly With InsightAppSec, there’s no installation of on-premise components required—just log in and start scanning. The intuitive workflows make it easy for you to test your applications without the steep learning curve. Simple doesn’t mean less powerful though—scans in InsightAppSec can be configured to meet your testing needs and ensure comprehensive coverage of your applications. Scan coverage in modern applications and APIs can be a problem for some DAST tools, but InsightAppSec’s scan engine has been developed with these challenges in mind and proven to overcome them. You’ll not only save time thanks to the easy-to-learn interface, you’ll also avoid the time-consuming training that other DAST tools require in order to get good coverage of your applications. Although InsightAppSec lives in the cloud, it can also scan your internal apps (like pre-production instances), with a scan engine deployed on premise. All your results are stored in the cloud, so that you have a single view of all your application vulnerabilities. With InsightAppSec, you can:

• Get up and running in minutes

• Crawl and attack your modern applications and APIs

• Scan external and internal applications

Manage your app portfolio at a glance
Web applications these days are rarely monolithic. They have complex multi-component architectures (like decoupled front ends that interface with micro-services that transact with the backend), as well as multiple instances (like development, pre-production, and production). InsightAppSec provides the flexibility to configure scans to optimize coverage and testing for each individual aspect of an application, whether it’s an API or a Single Page Application (SPA) front end.
Even though the components may be completely different technologies, to your organization they are still considered parts of the same application, which is why InsightAppSec is designed to group scan targets into application portfolios. All scans for an application, its components, and instances appear in a single application portfolio view, making scan management simple. The Live Vulnerability View provides a single, concise view of scan results for an application portfolio and displays an always up-to-date listing of vulnerabilities detected in your app portfolios. With rich historical information provided for each vulnerability, you’ll have the context to make critical prioritization decisions.
With InsightAppSec, you can:

• Group scan targets into application portfolios

• View all vulnerabilities across multiple scans and scan targets in a single view

• Use Live Vulnerability View to quickly filter down results and dynamically assign status and severity to reflect your priorities

Share actionable insights resulting in the right fix
Exposing application security vulnerabilities is a vital step towards reducing your application security risk. Managing that risk also requires keeping various stakeholders informed and arming your development teams with the actionable information they need to fix vulnerabilities. InsightAppSec provides detailed technical information on each identified vulnerability along with recommendations to remediate it. Reports can be custom-tailored for the audience, whether it be executive stakeholders who need an at-a-glance overview of application security risk, or developers who need technical details to remediate. The Attack Replay feature also empowers developers to confirm vulnerabilities on their own. Static reports aren’t always enough to prove to development that a vulnerability exists; Attack Replay makes it possible for developers to reproduce the issue on their own, and after a fix is implemented, test it immediately.
With InsightAppSec, you can:

• Take action by leveraging detailed explanations of vulnerabilities, with technical details and remediation recommendations

• Generate tailored reports of vulnerabilities for various business stakeholders

• Empower developers with Attack Replay so they can confirm vulnerabilities on their own and test their fixes immediately

The First Cyber Security Testing Platform

What is Swascan?

The platform allows to Identify,analyze and solve Cyber Security vulnerabilities and critical issues discovered on business assets. The first cloud based suite that allows you to:

• identify
• analyze
• solve

Vulnerability Assessment

The Web App Scan is the automated service that scans for Web Vulnerabilities, this service identifies security vulnerabilities and criticalities of websites and web applications. A Vulnerability analysis is necessary to quantify risk levels and to provide the corrective actions needed for the remediation activity.

• Web Application Scan
• OWASP
• Security Testing
• Reporting

Network Scan

Network Scan is the automated Network Vulnerability Scan service.This tool scans the infrastructure and the devices on it to identify security vulnerabilities and criticalities.The Vulnerability analysis is necessary to quantify risk levels and to provide the corrective actions needed for the remediation activity.

• Network Scan
• Security Testing
• Compliance
• Reporting

Code Review

Code Review is the automated tool for the static analysis of the source code. The Source Code analysis is aprocess that through the source code analysis of applications verifies the presence and effectiveness of minimum security standards.Code verification is useful to be sure that the target application has been developed in order to“auto-defend”itself in its own environment.

• Security Code Review
• Static Code Analysis
• Compliance
• Reporting

GDPR Assessment

GDPR Assessment is the Online Tool that allows companies to verify and measure their GDPR(General Data Protection Regulation–EU 2016/679)Compliance level.Swascan’s GDPR assessment tool provides guidelines and suggest corrective actions to implement terms Organization,Policy,Staff,Technology and Control Systems.

• GDPR Self Assessment
• GDPR Gap Analysis
• Compliance
• Reporting

On Premise

Swascan On premise is the Cyber Security Testing Platform which allows to identify,  analyze and solve all the vulnerabilities related to Corporate IT Assets in terms of websites,  web applications,  network and source code. It is an All-in-One platform that includes Web Application Vulnerability Assessment,Network Vulnerability Scan and Source Code Analysis services.

• On Premise
• Cyber Security Testing
• Ensures the Technologic Risk Assessment
• Compliance

Embed security and validate compliance With daily updates in a Kubernetes environment, it’s easy for new vulnerabilities to be introduced and applications to fall out of compliance. It can take days or weeks to detect and respond to container specific attacks, leaving your company open to data breaches and compliance fines. Teams don’t know how to get started easily with existing tools and struggle to plug them into their DevOps workflow. Ultimately, security and compliance can slow down application delivery. Built for Kubernetes and Container Security You need to automate and merge security and compliance into the DevOps workflow. Your tool of choice should provide core workflows that address security requirements across all stages of the Kubernetes lifecycle while integrating with your existing tools. Sysdig Secure Sysdig Secure embeds Kubernetes security and compliance into the build, run, and respond stages of the application lifecycle. Now, you can identify vulnerabilities, check compliance, block threats, and respond faster. This is powered by the open-source cloud native runtime security project called Falco. Features:

• Image Scanning. Scan container images in the CI/CD pipeline and block vulnerabilities before they reach production.
• Compliance. Validate compliance against standards like PCI, NIST, and SOC2 across the lifecycle of containers and Kubernetes
• Runtime Security. Detect and block attacks, combining deep visibility into system calls with Kubernetes metadata, labels, and audit events.
• Forensics and Audit. Record a snapshot of pre- and post-attack activity through system calls.

Monitoring

• Set up automated scans in minutes.

Simply enter your web app’s URL, choose your scan level and frequency, and schedule your scan to run.

• Reduce web-based risks.

Find and patch security issues in your web apps on a routine basis to reduce the risk of a web-based attack.

• Stay in compliance.

Monitoring module helps you fulfill security requirements in compliance frameworks such as PCI DSS, HIPAA, and SOC 2.

50% of SMBs have experienced a web-based attack.

According to Ponemon Institute’s most recent Global State of Cybersecurity in SMBs, web-based attacks are the second most common cyberattack experienced by SMBs. Hackers take advantage of web vulnerabilities, outdated software, and configuration errors to infiltrate your web applications and gain access to sensitive data. Securing your web applications, which includes your public-facing website as well as any web applications your customers might log into, is imperative to keeping your business and your customers’ data safe.

Protect your web applications from hackers 

Web app vulnerability scanners look for weaknesses in your web apps so they can be fixed before they’re exploited by hackers. Zeguro’s Monitoring module makes web app scanning quick, easy, and customizable. Choose between lightning and normal scan levels and a monthly or quarterly cadence. You can even schedule your scan for a specific day and time. Once scans are completed, you’ll get clear, actionable results. The downloadable report prioritizes vulnerabilities based on criticality, and includes evidence showing where each vulnerability exists along with a set of suggested fixes.

Protect your business through people, process, and technology. With Zeguro Cyber Safety, you will also get access to:

• Training

Improve employee cybersecurity awareness. Zeguro’s Training module provides a cybersecurity skills assessment for all enrolled employees at your company, and targeted training based on each employee’s strengths and weaknesses.

• Security Policies

Get security policy templates that cover important areas required in many compliance frameworks like PCI DSS and HIPAA. Need policies outside of template package? Upload custom policies so you can conveniently manage all your policies and download to share with auditors, business partners, and employees.

• Insurance

Cyber insurance provides an additional safety net in the event of a breach. Cyber Safety platform users enjoy discounted rates on our insurance, which is tailored to your business’ unique risk profile.