Netsparker says its web application security solution can automatically verify its findings, by exploiting identified vulnerabilities and providing proof.


This massively reduces the time wasted in penetration testing by false positives, according to Netsparker. A false positive is when a web application security scanner falsely indicates a vulnerability on your website, such as SQL injection.


Web application security scanners are known to report false positives, which extends the time needed for web application penetration tests. Testers have to go through all the reported vulnerabilities and manually verify them by trying to exploit them.


"Because of this lengthy process, web application security is unaffordable for many businesses. But costs are not the only problem," notes Netsparker.


"If a web application security scanner detects 200 cross-site scripting vulnerabilities, and the first 20 variants are false positives, the penetration tester assumes that all the others are false positives as well, and ignores all the rest. By doing so, there are chances that real web application vulnerabilities are left undetected."


Often, the results of a penetration test are only as good as the tester's knowledge rather than the capabilities of the web application security scannet. Penetration testers often do not trust web application security scanners, instead manually verifying every reported web vulnerability the web scanner detects.


"If the user using the web security scanner is unable to exploit a particular web application vulnerability due to lack of knowledge or experience, such a vulnerability is considered a false positive and will never be fixed," according to Netsparker.


Netsparker notes that web application security scanners cannot replace professional penetration testers, even though penetration testers will never be as efficient as automated scanners.


"Both software and humans are required. Through automation and modern technology are allowing us to automate much more, thus penetration tests require much less human intervention," the company said.


Netsparker's parent brand Invicti Security will be exhibiting at the RSA Conference 2021 from 17 to 20 May.


Channel partners and customers are invited to talks by technical solutions engineer Mark Schembri ('Beyond Dynamic Application Security Testing: A DAST-First Tool with IAST Depth'), and sales manager Cooper Herrera ('Five Steps to Secure Your Web Assets').


( Netsparker says its web application security solution can automatically verify its findings, by exploiting identified vulnerabilities and providing proof.


This massively reduces the time wasted in penetration testing by false positives, according to Netsparker. A false positive is when a web application security scanner falsely indicates a vulnerability on your website, such as SQL injection.


Web application security scanners are known to report false positives, which extends the time needed for web application penetration tests. Testers have to go through all the reported vulnerabilities and manually verify them by trying to exploit them.


"Because of this lengthy process, web application security is unaffordable for many businesses. But costs are not the only problem," notes Netsparker.


"If a web application security scanner detects 200 cross-site scripting vulnerabilities, and the first 20 variants are false positives, the penetration tester assumes that all the others are false positives as well, and ignores all the rest. By doing so, there are chances that real web application vulnerabilities are left undetected."


Often, the results of a penetration test are only as good as the tester's knowledge rather than the capabilities of the web application security scannet. Penetration testers often do not trust web application security scanners, instead manually verifying every reported web vulnerability the web scanner detects.


"If the user using the web security scanner is unable to exploit a particular web application vulnerability due to lack of knowledge or experience, such a vulnerability is considered a false positive and will never be fixed," according to Netsparker.


Netsparker notes that web application security scanners cannot replace professional penetration testers, even though penetration testers will never be as efficient as automated scanners.


"Both software and humans are required. Through automation and modern technology are allowing us to automate much more, thus penetration tests require much less human intervention," the company said.


Netsparker's parent brand Invicti Security will be exhibiting at the RSA Conference 2021 from 17 to 20 May.


Channel partners and customers are invited to talks by technical solutions engineer Mark Schembri ('Beyond Dynamic Application Security Testing: A DAST-First Tool with IAST Depth'), and sales manager Cooper Herrera ('Five Steps to Secure Your Web Assets').


( Photo by ThisisEngineering RAEng on Unsplash )