Mark Ralls of Invicti on the defining new era of web application security
Cybersecurity company Invicti was born out of the merger of Netsparker and Acunetix in 2018, bringing together nearly a decade and a half of success from each company. Based in the United States, the company has embarked on a key specialization: web application security.
We spoke with Invicti President and COO Mark Ralls to discuss web application security, vulnerability management, false positives, and why businesses need to rethink analytics. vulnerabilities.
“These apps make more use of APIs, so it’s much more difficult to secure them. Invicti has gone through this evolution and our whole process has been to invest and maintain a strong focus on securing web applications. That’s all we do, and we do it well, ”says Ralls.
One of the main areas of business focus is vulnerability management and vulnerability scanning, both of which have traditionally been viewed as an issue for IT and security teams.
“Imagine this: a medium-sized business like a bank could have 100 applications. The vulnerability scan can detect 10 vulnerabilities per application. There are now 1,000 vulnerabilities that security teams must investigate. They can’t fix anything because they have to go back to the appropriate developers. “
“When false positives emerge and developers spend time investigating these metrics, it wastes their time. And that creates friction between development and security. “
He adds, “When we spoke to customers, we found that a security professional can take an average of an hour to manually check a single vulnerability. Multiply that by 1,000 vulnerabilities, and it’s an incredible amount of work in a short period of time. “
“Of all the vulnerabilities detected, 20% could be false positives, but which 20%? The 1000 vulnerabilities must therefore be studied to find the 200 which may be false positives. “
It’s tempting to err on the side of caution – after all, companies would rather encounter a false positive than a false negative that turns out to be an exploitable vulnerability – a vulnerability that could cause significant problems or a data breach.
So what should organizations do? Are you wasting time searching for thousands of vulnerabilities to avoid any possibility of a data breach? It is a crushing ultimatum.
Invicti founder Ferruh Mavituna came from a background in penetration testing and security consulting, so he understood these challenges. He used his pattern-matching intuition from his penetration testing experience and applied it to a tool that scans for vulnerabilities in a non-malicious way. It was the dawn of evidence-based digitization.
“This is what Invicti started to build from the start, in 2006. Ferruh built a platform capable of showing potential violations, a proof of concept, and then delivering actionable results to support remediation. “
Returning to the idea of 1,000 vulnerabilities, Ralls explains that automated evidence-based analysis sends the vulnerability directly to a developer and security teams don’t even need to examine it.
“This process can be fine-tuned, but the fundamental point is that teams don’t waste 1,000 hours manually looking for vulnerabilities that could be exploited and reporting false positives. There may be a small fraction that is not confirmed by a perfect scan, but now the team may only need to check 50 vulnerabilities instead of 1000. “
Accuracy is the key to both automated and manual scanning, and Invicti focuses on improving the accuracy of its results every day. In addition, the company ensures that its products can test for the latest zero-day vulnerabilities and new classes, and the company goes through its security engineers to confirm the vulnerabilities.
“We’ve been recording this data since 2015 since we launched the hosted version of our product. There are over 500,000 vulnerabilities assessed and less than 0.02% of confirmed vulnerabilities were found to be false positives. That’s less than one in 5,000. Think about the relationship between security teams and developers: if developers only receive false positives from the security team twice a year, it will create a more relationship. harmonious and save much more time.
How long? Try about 10,000 hours per year, saving you about half a million dollars. Plus, security analysts and engineers can be deployed for more essential tasks – and Ralls says there’s no substitute for the intelligence and intuition that a security professional can bring. .
“What’s rewarding is when security personnel can focus on more sophisticated tasks like protecting against attacks, spending time with end users, or training developers on security. “
“There are so many opportunities for security teams to make tangible improvements to security. Yet the reality today is that too much of their time is spent making sure the tools they use are accurate. Organizations pay a lot of money for these tools – and they should be specific. “
Ralls explains endpoint security using a laptop analogy, which shows how every endpoint should be protected.
“No one would secure laptops owned only by management teams – you would want to protect every endpoint. But not so long ago securing a laptop was a difficult manual process to evolve. Twenty years ago, not all laptops were secure because not all employees had laptops. “
“In today’s world, every organization realizes they need to secure every laptop in their business. But they only secure a fraction of their apps because they might not realize there is a better way to secure everything. “
“In a few years, we’ll look back and ask how we lived in a world where only 15% of apps were secure. How was that possible, how did we continue to be so vulnerable? This is Invicti’s mission. The apps contain my data, your data, the data of our families, and these are the communities that we protect from attackers.
Learn more about Invicti here.