The document discusses the importance of web application security, highlighting that web applications are significant sources of security risks due to vulnerabilities stemming from general security issues and incorrect configurations. It emphasizes the need for effective solutions like web application firewalls and security scanners, such as Netsparker, to identify and fix actual vulnerabilities rather than relying solely on perimeter defenses. The document also details Netsparker's offerings, including automated scanning technologies and various licensing options for businesses seeking to enhance their web security.

1. WebAppSec

2. What problems solved

3. VERIZON 2018 DATA BREACH INVESTIGATIONS REPORT

4. WEB APPLICATION SECURITY
“InfoSec’s branch dealing with security of websites, web
apps and web services.
… paying increased attention to the security of the web applications
themselves in addition to the security of the underlying computer
network and operating systems”. ©
Web 2.0 & HTML5 >> changed doing business way.
Biz’ operations shifted to online = sensitive data in real time.
There is money to be gained illegally << hackers and scammers.
Web application is up to 80% of Enterprise application overall number

5. 03/02, 17/03, 12/04, 21/05, 07/06
Prowli Malware Operation Infected Over 40,000 Servers, Modems, and IoT Devices
58% of Botnet Malware Infections Last Under a Day
New VPNFilter plugins
Over 65,000 Home Routers Are Proxying Bad Traffic for Botnets, APTs
Cisco Smart Install Client

6. WHY MATTER?
Security risks >> web apps & networks to which they are connected.
>> web application = most serious sources of security risk.
Web by design opens a window between your network and the world.
Vulnerabilities are not
from web app
development only but
often come from
general security
issues, wrong
configurations, weak
administration and just
no awareness of
IT/ITS guys.

7. NETWORK FIREWALL / SCANNER
Myth#1
To protect web app we have a Network Firewall / UTM and a Network Security Scanner

8. WEB APPLICATION FIREWALL
WAF can’t solve web-app security flaws just blocking some KNOWN requests to (with patterns/signatures).
As an administrator is good, as WAF is good – people remains the weakest part of the solution.
WAF is just software/appliance to be configured/learnt constantly.
It makes sense to use WAF after vulnerability / security assessment by automatic web scanner.

9. WEB SECURITY
There are two roads to accomplish excellent security:
1. Old way
- Maintain constant alert to new security issues (concept?)
- Ensure all patches and updates are done at once (sure, but)
- All of your existing applications reviewed for correct security (is it possible)
- Only security knowledgeable programmers do work on your site (how to evaluate)
- Their work checked carefully by security professionals (developer vs security)
- Maintain FWs, AVs, IPS’ (for why) and so on.
2. New way: use a web app sec scanner to see if vulnerabilities actually exist
- simple logic to lock the front door.
>> far more effective to repair a half dozen actual risks than to leave them in place and try to build
higher and higher walls around them. And this also lead to the birth of a new and young industry …

10. MANUALLY/ SAST OR DAST?
Your site is 1,000 times more likely to be attacked with a known exploit than an unknown one. And the reason behind this is simple: There are so many
known exploits and the complexity of web servers and web sites is so great that the chances are good that one of the known vulnerabilities will be
present and allow an attacker access to your site.

11. How Can I Secure my Web Applications?

12. NETSPARKER
Very easy to use
Fully automated
Proof-Based Scanning Technology
Authentication support
Practical remedial solutions

13. NETSPARKER STANDARD/ CONS.
Single user
Windows software
CLI integration
Manual Crawling
Pen testing tools

14. NETSPARKER TEAM/ENT.
Multi-user platform
Online service
Scalable
Built-in bug tracking
OoB integration
REST API
Trend Matrix
Available on-premises

15. EDITION COMPARISON

16. EDITIONS
Netsparker Desktop
Up to 20 websites
Per website
5 $999
10 $800
20 $600
Netsparker Desktop
Netsparker Cloud on-dem
Up to 50 websites
5 $1 599
10 $1 200
20 $850
Netsparker Desktop
Netsparker Cloud on-dem
Netsparker Cloud On-Prem
50+ websites
50 $600
100 $540
200 $482
500 $368
Consultant
Netsparker Desktop
Single instance
Unlimited Websites
$10 995

17. Easy of Use &
Configure
Scans HTML5, SPAs &
Modern Web Applications
Proof-Based
Scanning
Technology
Supports
Authentication
Integrated
Exploitation
Supports
Mobile/Web
Services

18. COMPARE?
https://www.netsparker.com/blog/news/comparison-web-vulnerability-scanners-netsparker/

19. Case Study

20. 1. RESELLING
CUSTOMERPARTNER
NETSPARKER
DISCOUNT
WEB-SECURITY CONSULTING
Simple Licensing Model >> UPSELL vs CROSS-SELL
Sales & Marketing Support >> NO PROJECT PRESALE
Netsparker backend support >> NO TECH STAFF
Easily integrates >> SOCs, sSDLS, SecOps

21. 2. PEN-TEST SERVICE
PARTNER
DISCOUNT
Avg pen-test price is 1,000 – 4,000 USD
100% accuracy and no false positives >> high results
Netsparker pricing >> NO EXTRA COSTs
Checking web-sites >> PER SCAN FEE
FEES
NETSPARKER CUSTOMER
CUSTOMER

22. 3. WEB-SECURITY MONITORING
PARTNER
Yearly/quarterly/monthly service
Retrospective and trend matrix
Incremental scanning/ scheduling
Long term relations / projects
CUSTOMER
CUSTOMER
NETSPARKER

23. About Netsparker

24. COMPANY SNAPSHOT
Netsparker develops a dead accurate webAppSec
scanner, helps businesses automatically detect
vulnerabilities in WebApp as quickly and efficiently
as possible.
Netsparker was founded in 2009 and is still lead by
Ferruh Mavituna. A penetration tester himself.
45%+ average annual
growth
1,500 + customers in
66 countries
Fortune 500
customers
50+ employees in 6
countries
200 zero-day
vulnerabilities
advisories published
1,500,000+
Netsparker downloads
since 2010.

25. CUSTOMERS

26. CUSTOMERS

27. CUSTOMERS

28. Thank you

29. Your own scalable web application security