We’re delighted to announce the discharge of Invicti Enterprise On-Premises 2.3 (previously Netsparker Enterprise). The brand new launch rolls along with a variety of updates and enhancements, most notably a brand new model id, Node.js IAST checks, an all-new Software program Composition Evaluation characteristic, help for GraphQL APIs, and an improved Authentication Verifier. We’ve additionally added many new safety checks, enhancements, and fixes.
Your Info shall be saved non-public.
Netsparker is now Invicti
We’ve renamed our flagship product Netsparker to Invicti. To replicate this rebranding, we’ve up to date the person interface. From the login web page to the hyperlinks for getting extra data, the applying now carries the Invicti model.
For extra data on this vital change, see A brand new period for contemporary utility safety: Netsparker is now Invicti.
Node.js sensor for Invicti Shark IAST
We’ve expanded the capabilities of our IAST module by including a Node.js sensor to ship further insights when scanning fashionable purposes with JavaScript on the server-side.
To make use of the brand new functionality, you merely set up a devoted IAST agent in your Node.js utility setting. As soon as deployed, the agent will present the primary DAST scanner with further details about utility habits throughout vulnerability testing.
For additional data, see Invicti provides IAST help for Node.js. To deploy the sensor, see Deploying Invicti Shark for Node.js.
Bridge URL and Shark token help for Invicti Shark IAST
Along with the Node.js help, we’ve additionally added help for a bridge URL and Shark tokens in Invicti IAST.
- Shark tokens at the moment are used to safe communication between the Invicti scanner and the IAST agent. A novel token is robotically generated for every set up of the Shark agent. The token is necessary for utilizing Invicti Shark IAST.
- The IAST bridge is used to relay data from the Shark agent to the Invicti scanning engine. Specifying a bridge URL is necessary for the Java and Node.js sensors. You need to use the default URL or set up your personal bridge. For extra data, see Deploying Shark (IAST) in Netsparker Enterprise On-Premises.
Software program Composition Evaluation (SCA)
We’ve added the flexibility to run software program composition evaluation from Invicti Enterprise. With the Shark IAST agent put in, Invicti can now detect parts and applied sciences utilized in your net utility. It tracks their use and studies any issues, akin to whether or not any of the applied sciences are out-of-date or whether or not a particular model has identified points.
For additional data, see Software program Composition Evaluation with Invicti Shark (IAST).
Assist for scanning GraphQL APIs
We now have help for scanning GraphQL-based utility programming interfaces (APIs). You may import a GraphQL schema into Invicti Enterprise and scan it to determine vulnerabilities.
Initially developed by Fb in 2012 and publicly launched in 2015, GraphQL was designed to supply a database-like question language for APIs. Having a question language makes it simpler and faster to get particular information from a server to a consumer through a single API name. Regardless of some built-in information validation and type-checking, GraphQL nonetheless has its safety shortcomings that attackers can exploit to entry delicate information.
With this replace, you possibly can specify your GraphQL schemas in scan profiles to determine GraphQL vulnerabilities.
For additional details about GraphQL and its assault vectors, see our weblog put up Introduction to GraphQL API safety. For help data on organising GraphQL scans, see Scanning a GraphQL API for vulnerabilities.
Enhancements to the Authentication Verifier agent
We’ve improved the Authentication Verifier agent. The brand new model offers improved efficiency for single-page purposes, is much less resource-intensive, and comes with an auto-update characteristic. Now you can additionally set up a number of verifier brokers.
Utilizing the brand new model of the Authentication Verifier requires re-installation. In case you have older variations in your setting and want to set up the brand new, improved model, you’ll need to take away the outdated variations first.For additional data, see Authentication Verifier Settings
Please word that the authentication verifier agent is an elective part. If you’re scanning an internet site that requires form-based authentication, it is strongly recommended that you just obtain and set up an authentication verifier agent. This inside agent assists within the authentication course of to make sure which you could run authenticated scanning in your community.
New OWASP studies
We’ve added two new OWASP studies: OWASP API High Ten Report and OWASP High Ten 2021.
OWASP API High Ten
The Open Internet Software Safety Challenge (OWASP) API High 10 2019 is an inventory of high safety issues particular to net Software Programming Interface (API) safety.
APIs are a crucial a part of fashionable cell apps, Software program as a Service (SaaS) merchandise, and net purposes. As a result of APIs instantly expose utility logic and delicate information, they’ve turn out to be a chief goal for attackers. Whereas normal net utility safety greatest practices nonetheless apply to APIs, the OWASP API Safety mission has ready an inventory of high 10 safety dangers particular to net API safety.
For additional data, see OWASP API High Ten 2019 Report.
OWASP High Ten 2021
OWASP High Ten 2021 Report helps you check for probably the most harmful net utility safety weaknesses.
Because the first version in 2003, the checklist of high ten utility safety dangers displays business tendencies, net applied sciences, and the menace panorama. Because of the OWASP High Ten 2021 Report, you possibly can determine widespread weaknesses that might be current in your net utility setting and exploited by malicious attackers.
For additional data, see OWASP High Ten 2021 Report.
FIPS compliance
We’ve up to date the .NET Framework model utilized by Invicti Enterprise from 4.7.2 to 4.8. With this transformation, Invicti has turn out to be suitable with the Federal Info Processing Customary (FIPS) 140-2.
In follow, this implies now you can easily run Invicti on machines the place the FIPS coverage is enabled. Extra particularly, whenever you run or set up Invicti on a machine with the FIPS coverage enabled, the coverage doesn’t intervene in any manner with the working state of the software program. Moreover, no error occasion log entries are recorded.
For additional data, see Invicti’s method to FIPS.
WCAG compliance
At Invicti, we’ve adopted the Internet Content material Accessibility Tips (WCAG) 2.1 Stage AA as our customary and purpose. This permits higher innovation, simpler collaboration, and a way more inclusive work setting.
As one in every of few AppSec testing instruments with WCAG 2.1 AA compliance, we’re dedicated to investing the time and sources obligatory to take care of that customary. This implies ensuring we construct accessibility into all of our new Invicti Enterprise product options and persistently monitoring the W3C for updates.
For additional data, see Invicti Enterprise achieves WCAG 2.1 accessibility compliance.
Additional data
For a whole checklist of what’s new, improved, and glued on this replace, check with the Invicti Enterprise Changelog.
Keep updated on net safety tendencies
Your Info shall be saved non-public.
