SlideShare a Scribd company logo

Optimizing Your Application Security Program with Netsparker and ThreadFix

Denim Group, profile picture
Denim Group

The document discusses the integration of Netsparker and Threadfix to enhance application security through automated scanning and vulnerability management. Netsparker provides a cloud-based and desktop solution that identifies security issues, while Threadfix consolidates and prioritizes vulnerabilities for developers. Together, they enable rapid identification and remediation of potential threats, significantly improving web application security in under 24 hours.

Technology
1 of 28
Downloaded 23 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
© 2016 Denim Group – All Rights Reserved Optimizing Your Application Security Program with Netsparker and ThreadFix October 19, 2016 Ferruh Mavituna Product Architect and CEO, Netsparker Ltd. Dan Cornell CTO, Denim Group
© 2016 Denim Group – All Rights Reserved Agenda • State of Application Security • Netsparker Overview • ThreadFix Overview • ThreadFix / Netsparker Integration 1
© 2016 Denim Group – All Rights Reserved 2
© 2016 Denim Group – All Rights Reserved Netsparker automatically finds and reports security issues in web sites and web services. Automated Web Application Security Netsparker Desktop Windows only software, easy to install and use. Netsparker Cloud SaaS version of Netsparker. Uses the very same engine, scalable and comes with enterprise features. 3
© 2016 Denim Group – All Rights Reserved Netsparker Desktop Windows Software It simulates a real attacker to find vulnerabilities in web applications automatically. Allows users to carry out advanced security tasks and especially useful for security consultants and in house security teams. 4
© 2016 Denim Group – All Rights Reserved Supports Authentication Netsparker’s Core Features Ease of Use Supports Modern Web Proof Based Scanning Integrated Exploitation Supports Mobile/Web Services uniquefeature 5
© 2016 Denim Group – All Rights Reserved Netsparker Cloud Netsparker Cloud Netsparker – Scalable, can scan thousands of websites within hours. Designed for enterprises, big teams and big datasets in mind. API for integrating with other solutions, internal products. On-premises or managed. Scalable Designed for Enterprise API uniquefeature 6
© 2016 Denim Group – All Rights Reserved Security Testing Process 7
© 2016 Denim Group – All Rights Reserved Automated Security Testing Process 2 3 Configure Custom 404, Authentication, URL Rewrite Rules etc.1 Configure and Start the Scan If there is a Local File Inclusion, exploit it safely to see that LFI is real and not a False Positive, if it’s SQL Injection, safely read data from the database. Repeat this for every vulnerability to eliminate false positives. Check if the results are correct Prioritize important issues, communicate with the developers and make necessary changes. Deploy the new version of the application and Re- test. Take Action 8
© 2016 Denim Group – All Rights Reserved Process with Netsparker & ThreadFix 2 3 URL Rewrite, will be discovered dynamically, Custom 404 will be handled automatically, authentication only requires you to enter URL, username and password. Supports SPA (Single Page Applications) automatically. 1 Start your scan quickly Netsparker will give you the proof Now you know which vulnerabilities are real, without spending any more time on them, pass them to your development team to start addressing these issues immediately. You don’t want to leave your website exposed during this process. Now import these issues into ThreadFix and generate rules for your WAF without worrying about False Positives! Take Action Proof Based Scanning Get the results with proof. If there is a SQL Injection, Netsparker will extract some data from the target web application’s database, if there is a LFI, Netsparker will give you a file from the target system etc. This applies to all direct impact vulnerabilities. 9
© 2016 Denim Group – All Rights Reserved Proof Based Scanning False Positive or not? 10
© 2016 Denim Group – All Rights Reserved A scanner you can { } 11
© 2016 Denim Group – All Rights Reserved Scalability How can you scan 1,000 applications? More importantly how can you address 10,000 issues in these applications? 12
© 2016 Denim Group – All Rights Reserved Netsparker Cloud & ThreadFix In 24 Hours you can find & hot-patch 10,000 vulnerabilities Netsparker Cloud can scan thousands of websites under 24 hours. API Import the results to ThreadFix Because results will be clearly flagged as CONFIRMED and 100% real, now you can just generate WAF rules without worrying about False Positives. Congratulations you have improved the state of your web application security significantly just under 24 hours. You still need to fix all these issues and not rely on WAF but the improvement will be huge. 13
© 2016 Denim Group – All Rights Reserved ThreadFix Overview • Create a consolidated view of your applications and vulnerabilities • Prioritize application risk decisions based on data • Reduce risk and provide protection via virtual patching • Translate vulnerabilities to developers in the tools they are already using 14
© 2016 Denim Group – All Rights Reserved ThreadFix Overview 15
© 2016 Denim Group – All Rights Reserved Create a consolidated view of your applications and vulnerabilities 16
© 2016 Denim Group – All Rights Reserved Application Portfolio Tracking 17
© 2016 Denim Group – All Rights Reserved Vulnerability Import 18
© 2016 Denim Group – All Rights Reserved Vulnerability Consolidation 19
© 2016 Denim Group – All Rights Reserved Prioritize application risk decisions based on data 20
© 2016 Denim Group – All Rights Reserved Vulnerability Prioritization 21
© 2016 Denim Group – All Rights Reserved Reporting and Metrics 22
© 2016 Denim Group – All Rights Reserved Reduce risk and provide protection via virtual patching 23
© 2016 Denim Group – All Rights Reserved WAF Virtual Patching 24
© 2016 Denim Group – All Rights Reserved Translate vulnerabilities to developers in the tools they are already using 25
© 2016 Denim Group – All Rights Reserved Defect Tracker Integration 26
© 2016 Denim Group – All Rights Reserved Questions and Contact ThreadFix www.threadfix.it Netsparker www.netsparker.com 27

More Related Content

PDF
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
PDF
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
Denim Group
 
PDF
Running a High-Efficiency, High-Visibility Application Security Program with...
Denim Group
 
PDF
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Denim Group
 
PDF
Clear AppSec Visibility with AppSpider and ThreadFix
Denim Group
 
PDF
Achieving Software Assurance with Hybrid Analysis Mapping
Denim Group
 
PDF
What a locked down law firm looks like updated
Denim Group
 
PDF
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
Denim Group
 
Running a High-Efficiency, High-Visibility Application Security Program with...
Denim Group
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Denim Group
 
Clear AppSec Visibility with AppSpider and ThreadFix
Denim Group
 
Achieving Software Assurance with Hybrid Analysis Mapping
Denim Group
 
What a locked down law firm looks like updated
Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 

What's hot (20)

PDF
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
PDF
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
PDF
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
PDF
Waratek ISACA Webinar
Waratek Ltd
 
PPSX
Waratek presentation for RANT November 2016
Waratek Ltd
 
PDF
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Ltd
 
PDF
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
PDF
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
PPTX
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
PDF
Structuring and Scaling an Application Security Program
Denim Group
 
PDF
Waratek overview 2016
Waratek Ltd
 
PDF
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
PPTX
Empowering Application Security Protection in the World of DevOps
IBM Security
 
PDF
Secure DevOps with ThreadFix 2.3
Denim Group
 
PDF
SecDevOps: Development Tools for Security Pros
Denim Group
 
PDF
Running a Software Security Program with Open Source Tools
Denim Group
 
PDF
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
PDF
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
PDF
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
PDF
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
Waratek ISACA Webinar
Waratek Ltd
 
Waratek presentation for RANT November 2016
Waratek Ltd
 
Waratek Securing Red Hat JBoss from the Inside Out
Waratek Ltd
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
Structuring and Scaling an Application Security Program
Denim Group
 
Waratek overview 2016
Waratek Ltd
 
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
Empowering Application Security Protection in the World of DevOps
IBM Security
 
Secure DevOps with ThreadFix 2.3
Denim Group
 
SecDevOps: Development Tools for Security Pros
Denim Group
 
Running a Software Security Program with Open Source Tools
Denim Group
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
Ad

Viewers also liked (15)

PPT
Guvenli Flash Uygulamalari
Ferruh Mavituna
 
PPT
Web 2.0 Guvenlik Trendleri
Ferruh Mavituna
 
PDF
Laravel ile Hızlı ve Modern Web Programlama, Ömer Çıtak
Netsparker Türkiye
 
DOC
POC-Netsparker
Raj Sawant
 
PDF
One Click Ownage Ferruh Mavituna (3)
Ferruh Mavituna
 
PDF
Application Security Management with ThreadFix
Virtual Forge
 
PDF
OWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer Çıtak
Netsparker Türkiye
 
PDF
Tutorial Hacker
zihoenie
 
PPT
How To Detect Xss
Ferruh Mavituna
 
PPTX
Fortify - Source Code Analyzer
n|u - The Open Security Community
 
PDF
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
PDF
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
PDF
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
Virtual Forge
 
PDF
Web Servislerinin Hacklenmesi, Ömer Çıtak
Netsparker Türkiye
 
PPSX
Web Tarayıcılarının Evrimi
Ferruh Mavituna
 
Guvenli Flash Uygulamalari
Ferruh Mavituna
 
Web 2.0 Guvenlik Trendleri
Ferruh Mavituna
 
Laravel ile Hızlı ve Modern Web Programlama, Ömer Çıtak
Netsparker Türkiye
 
POC-Netsparker
Raj Sawant
 
One Click Ownage Ferruh Mavituna (3)
Ferruh Mavituna
 
Application Security Management with ThreadFix
Virtual Forge
 
OWTG 2016, Web Çatı Şablonlarının Güvenliği (SSTI), Ömer Çıtak
Netsparker Türkiye
 
Tutorial Hacker
zihoenie
 
How To Detect Xss
Ferruh Mavituna
 
Fortify - Source Code Analyzer
n|u - The Open Security Community
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
Virtual Forge
 
Web Servislerinin Hacklenmesi, Ömer Çıtak
Netsparker Türkiye
 
Web Tarayıcılarının Evrimi
Ferruh Mavituna
 
Ad

Similar to Optimizing Your Application Security Program with Netsparker and ThreadFix (20)

PDF
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
PPTX
Thread Fix Tour Presentation Final Final
Robin Lutchansky
 
PDF
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Denim Group
 
PDF
Optimize Your Security Program with ThreadFix 2.7
Denim Group
 
PDF
Application Asset Management with ThreadFix
Denim Group
 
PDF
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
PDF
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
PDF
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
PPTX
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
PDF
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
PDF
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
PDF
ThreadFix 2.5 Webinar
Denim Group
 
PPTX
Netsparker - Hosting Zirvesi 2010
Onur YILMAZ
 
PDF
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
PDF
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
PDF
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
PDF
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
PDF
DACHNUG50 HCL BigFix_Keynote.pdf
DNUG e.V.
 
PDF
Skeletons in the Closet: Securing Inherited Applications
Denim Group
 
PDF
HCL BigFix - DNUG Stammtisch Salzburg
DNUG e.V.
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Thread Fix Tour Presentation Final Final
Robin Lutchansky
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Denim Group
 
Optimize Your Security Program with ThreadFix 2.7
Denim Group
 
Application Asset Management with ThreadFix
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
ThreadFix 2.5 Webinar
Denim Group
 
Netsparker - Hosting Zirvesi 2010
Onur YILMAZ
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
DACHNUG50 HCL BigFix_Keynote.pdf
DNUG e.V.
 
Skeletons in the Closet: Securing Inherited Applications
Denim Group
 
HCL BigFix - DNUG Stammtisch Salzburg
DNUG e.V.
 

More from Denim Group (20)

PDF
Long-term Impact of Log4J
Denim Group
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
PDF
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
PDF
OWASP San Antonio Meeting 10/2/20
Denim Group
 
PDF
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
PDF
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
PDF
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
PDF
AppSec in a World of Digital Transformation
Denim Group
 
PDF
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
PDF
AppSec in a World of Digital Transformation
Denim Group
 
PDF
Enumerating Enterprise Attack Surface
Denim Group
 
PDF
Enumerating Enterprise Attack Surface
Denim Group
 
PDF
An OWASP SAMM Perspective on Serverless Computing
Denim Group
 
PDF
Application Security Testing for a DevOps Mindset
Denim Group
 
PDF
Reducing Attack Surface in Budget Constrained Environments
Denim Group
 
PDF
Securing Voting Infrastructure before the Mid-Term Elections
Denim Group
 
PDF
Threat Modeling for IoT Systems
Denim Group
 
PDF
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Denim Group
 
PDF
How to Integrate AppSec Testing into your DevOps Program
Denim Group
 
Long-term Impact of Log4J
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
OWASP San Antonio Meeting 10/2/20
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Denim Group
 
Enumerating Enterprise Attack Surface
Denim Group
 
An OWASP SAMM Perspective on Serverless Computing
Denim Group
 
Application Security Testing for a DevOps Mindset
Denim Group
 
Reducing Attack Surface in Budget Constrained Environments
Denim Group
 
Securing Voting Infrastructure before the Mid-Term Elections
Denim Group
 
Threat Modeling for IoT Systems
Denim Group
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Denim Group
 
How to Integrate AppSec Testing into your DevOps Program
Denim Group
 

Recently uploaded (20)

PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Teaching material agriculture food technology
LiaRayya
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 

Optimizing Your Application Security Program with Netsparker and ThreadFix

  • 1. © 2016 Denim Group – All Rights Reserved Optimizing Your Application Security Program with Netsparker and ThreadFix October 19, 2016 Ferruh Mavituna Product Architect and CEO, Netsparker Ltd. Dan Cornell CTO, Denim Group
  • 2. © 2016 Denim Group – All Rights Reserved Agenda • State of Application Security • Netsparker Overview • ThreadFix Overview • ThreadFix / Netsparker Integration 1
  • 3. © 2016 Denim Group – All Rights Reserved 2
  • 4. © 2016 Denim Group – All Rights Reserved Netsparker automatically finds and reports security issues in web sites and web services. Automated Web Application Security Netsparker Desktop Windows only software, easy to install and use. Netsparker Cloud SaaS version of Netsparker. Uses the very same engine, scalable and comes with enterprise features. 3
  • 5. © 2016 Denim Group – All Rights Reserved Netsparker Desktop Windows Software It simulates a real attacker to find vulnerabilities in web applications automatically. Allows users to carry out advanced security tasks and especially useful for security consultants and in house security teams. 4
  • 6. © 2016 Denim Group – All Rights Reserved Supports Authentication Netsparker’s Core Features Ease of Use Supports Modern Web Proof Based Scanning Integrated Exploitation Supports Mobile/Web Services uniquefeature 5
  • 7. © 2016 Denim Group – All Rights Reserved Netsparker Cloud Netsparker Cloud Netsparker – Scalable, can scan thousands of websites within hours. Designed for enterprises, big teams and big datasets in mind. API for integrating with other solutions, internal products. On-premises or managed. Scalable Designed for Enterprise API uniquefeature 6
  • 8. © 2016 Denim Group – All Rights Reserved Security Testing Process 7
  • 9. © 2016 Denim Group – All Rights Reserved Automated Security Testing Process 2 3 Configure Custom 404, Authentication, URL Rewrite Rules etc.1 Configure and Start the Scan If there is a Local File Inclusion, exploit it safely to see that LFI is real and not a False Positive, if it’s SQL Injection, safely read data from the database. Repeat this for every vulnerability to eliminate false positives. Check if the results are correct Prioritize important issues, communicate with the developers and make necessary changes. Deploy the new version of the application and Re- test. Take Action 8
  • 10. © 2016 Denim Group – All Rights Reserved Process with Netsparker & ThreadFix 2 3 URL Rewrite, will be discovered dynamically, Custom 404 will be handled automatically, authentication only requires you to enter URL, username and password. Supports SPA (Single Page Applications) automatically. 1 Start your scan quickly Netsparker will give you the proof Now you know which vulnerabilities are real, without spending any more time on them, pass them to your development team to start addressing these issues immediately. You don’t want to leave your website exposed during this process. Now import these issues into ThreadFix and generate rules for your WAF without worrying about False Positives! Take Action Proof Based Scanning Get the results with proof. If there is a SQL Injection, Netsparker will extract some data from the target web application’s database, if there is a LFI, Netsparker will give you a file from the target system etc. This applies to all direct impact vulnerabilities. 9
  • 11. © 2016 Denim Group – All Rights Reserved Proof Based Scanning False Positive or not? 10
  • 12. © 2016 Denim Group – All Rights Reserved A scanner you can { } 11
  • 13. © 2016 Denim Group – All Rights Reserved Scalability How can you scan 1,000 applications? More importantly how can you address 10,000 issues in these applications? 12
  • 14. © 2016 Denim Group – All Rights Reserved Netsparker Cloud & ThreadFix In 24 Hours you can find & hot-patch 10,000 vulnerabilities Netsparker Cloud can scan thousands of websites under 24 hours. API Import the results to ThreadFix Because results will be clearly flagged as CONFIRMED and 100% real, now you can just generate WAF rules without worrying about False Positives. Congratulations you have improved the state of your web application security significantly just under 24 hours. You still need to fix all these issues and not rely on WAF but the improvement will be huge. 13
  • 15. © 2016 Denim Group – All Rights Reserved ThreadFix Overview • Create a consolidated view of your applications and vulnerabilities • Prioritize application risk decisions based on data • Reduce risk and provide protection via virtual patching • Translate vulnerabilities to developers in the tools they are already using 14
  • 16. © 2016 Denim Group – All Rights Reserved ThreadFix Overview 15
  • 17. © 2016 Denim Group – All Rights Reserved Create a consolidated view of your applications and vulnerabilities 16
  • 18. © 2016 Denim Group – All Rights Reserved Application Portfolio Tracking 17
  • 19. © 2016 Denim Group – All Rights Reserved Vulnerability Import 18
  • 20. © 2016 Denim Group – All Rights Reserved Vulnerability Consolidation 19
  • 21. © 2016 Denim Group – All Rights Reserved Prioritize application risk decisions based on data 20
  • 22. © 2016 Denim Group – All Rights Reserved Vulnerability Prioritization 21
  • 23. © 2016 Denim Group – All Rights Reserved Reporting and Metrics 22
  • 24. © 2016 Denim Group – All Rights Reserved Reduce risk and provide protection via virtual patching 23
  • 25. © 2016 Denim Group – All Rights Reserved WAF Virtual Patching 24
  • 26. © 2016 Denim Group – All Rights Reserved Translate vulnerabilities to developers in the tools they are already using 25
  • 27. © 2016 Denim Group – All Rights Reserved Defect Tracker Integration 26
  • 28. © 2016 Denim Group – All Rights Reserved Questions and Contact ThreadFix www.threadfix.it Netsparker www.netsparker.com 27