Don’t take someone else’s word for it—run your own security testing

CISOs and other security leaders are expected to maintain an impregnable security posture and accurately report on it, yet for application security, they often have to rely on second-hand data and other people’s assurances. Getting your own data typically requires a compliance audit or a third-party assessment like a penetration test, which means you have to wait weeks or months for your vulnerability reports—and even then, you are depending on that third party to deliver accurate information. Worse still, that information will become outdated very soon, and until the next test rolls around, you will only know your security posture in the past, not here and now.

Ideally, you would want to run your own tests whenever you want an update. That way, you can make fact-based decisions based on current information, without taking anyone’s word for it and without asking anyone’s permission. But how can you even do that? To assess your realistic exposure, it would be best to probe every corner of your public-facing application environments and look for vulnerabilities that could be exploited by malicious actors. Oh—and do this safely, accurately, automatically, and independently of the development and deployment internals. However you slice it, the only realistic way to do that is with a good, reliable DAST solution.

The perfect tool for self-service AppSec assessments

The limitations of some web vulnerability scanners have given rise to myths and misconceptions that keep DAST tools off the radar for many security leaders—after all, aren’t they only used by QA internally and then pentesters externally? In reality, the “DAST” label applies to many different tools that were designed for different purposes. For example, a vulnerability scanner designed to aid manual penetration testing might excel in that role but be of little use to a CISO looking for an automated way to gauge security posture. To do that, you need an advanced and scalable DAST solution that can run hands-off on any required schedule and deliver the right data to the right people.

Compared to a more traditional approach based on commissioning external penetration tests, a reliable self-service DAST gives you up-to-date vulnerability information as often as you need it, and can repeatably run thousands of test payloads against thousands of attack points in a fraction of the time. Leading solutions even include automatic exploitation functionality to safely check which vulnerabilities are remotely exploitable and need fixing first. And all this on your own schedule and without taking anything on trust, giving you a first-hand overview of your actual security posture.

Intrigued? We’ve put together a detailed white paper that takes an in-depth look at all these topics and more, dispelling common DAST myths along the way, demystifying the market, and showing how the versatility of advanced DAST solutions can unlock efficiencies and savings—not only for the security organization, but also for engineering.

The post Why DAST makes the perfect security posture gauge appeared first on Invicti.

As a Registered Build Partner, the certified integration allows for greater prioritization and potential impact assessment of code flaws that may lead to an exploit. This ability to better show developers and security teams where to focus their efforts furthers its mission to provide AppSec with Zero Noise to customers and the industry. The integration is available in the ServiceNow Store.

“Being a part of ServiceNow’s ecosystem is a major benefit for customers working to streamline and automate their vulnerability management and overall application security programs,” said John Mandel, Chief Engineering Officer at Invicti. “Strong integration between our tools has been an ask from our customers and we’re excited to deliver on this value driver for them.”

“Partnerships succeed best when we lean into our unique skills and expertise and have a clear view into the problem we’re trying to solve,” said Erica Volini, Senior Vice President of Global Partnerships at ServiceNow. “Invicti extends our reach well beyond where we can go alone and represents the legacy and goals of the Now Platform. I am thrilled to see the continued innovation we will achieve together to help organizations succeed in the era of digital business.”

Invicti also has integrations with ServiceNow’s Vulnerability Response system, allowing bi-directional functionality and customizations for customers to gain better visibility and automation from vulnerability discovery through remediation, saving developer time and improving security posture through stronger vulnerability management and application security.

 About Invicti Security

Invicti Security—which acquired and combined DAST leaders Acunetix and Netsparker—is on a mission: application security with zero noise. An AppSec leader for more than 15 years, Invicti provides best-in-DAST solutions that enable DevSecOps teams to continuously scan web applications, shifting security both left and right to identify, prioritize and secure a company’s most important assets. Our commitment to accuracy, coverage, automation, and scalability helps mitigate risks and propel the world forward by securing every web application. Invicti is headquartered in Austin, Texas, and has employees in over 11 countries, serving more than 4,000 organizations around the world. For more information, visit our website or follow us on LinkedIn.

ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries.

Use of Forward‑Looking Statements
This press release contains “forward‑looking statements” about the expectations, beliefs, plans, intentions and strategies relating to the market opportunity and growth of the Now Platform. Forward‑looking statements are subject to known and unknown risks and uncertainties and are based on potentially inaccurate assumptions that could cause actual results to differ materially from those expected or implied by the forward‑looking statements. If any such risks or uncertainties materialize or if any of the assumptions prove incorrect, our results could differ materially from the results expressed or implied by the forward‑looking statements we make. We undertake no obligation, and do not intend, to update the forward‑looking statements. Factors that may cause actual results to differ materially from those in any forward‑looking statements include, among other things, any changes to the partner program and unexpected delays, difficulties and expenses in achieving market growth and/or opportunity. Further information on factors that could affect our financial and other results is included in the filings we make with the Securities and Exchange Commission from time to time.

###

Media Contact

Kate Bachman
Invicti
kate.bachman@invicti.com

The post Invicti Launches New Integration with ServiceNow to Deliver Automated Workflows for Vulnerability Discovery Through Remediation appeared first on Invicti.

It wasn’t until I was older that I realized my parents didn’t openly discuss gender roles because they were trying to create space for new ideas rather than reinforce these roles. This idea of creating space for something new became a valuable tool for me in solving issues in my career later on in life.

How did I adopt the mindset I call a tool? 

As I grew in my career, I realized the existence of barriers that shouldn’t be. I objected to others’ thoughts being labeled as obstacles to me. As a director, I could be judged mainly by presenting myself with full transparency, as opposed to the idea of a manager who should hide their feelings, act like a feared boss, and dress formally. Instead of having hesitations about how I should behave, I freed my mind from these thoughts, and I became aware of my own potential.   

When faced with problems, I sought solutions to overcome them myself rather than expecting others to solve them for me. I first evaluated the barriers in my own mind and then began to explain to others why they were not obstacles by setting off on this path. Then, I became the first and continuous actor. As I said, I made gains from areas where I could liberate myself and used those gains to liberate other areas. 

My Invicti journey

My story began by leading a group of testers who believed in the product and had product knowledge with little testing experience. I dreamed of forming a team that would elevate each other by transferring their test experiences in return for developing product knowledge. I believe this dream has yielded beautiful results.

Then, as I got the first chance to lead people outside my skills, as there was actually no alternative, I continued. So I had a new dream. It was a software product that was more stable, did not cause uncertain problems, and could be planned ahead in terms of time. This dream also yielded more success, and here I am now, leading the success of the product with more responsibility and with the help of committed teammates.

I cannot deny that we face various limits in our company, budget constraints, lack of time, and decisions to merge or divide teams. Yet, I follow my dreams, which I believe will benefit all of us. My persuasiveness lies in being proactive and sustaining momentum.

I believe “A river cuts through rock not because of its power but because of its persistence.”

For fun

Let’s do a test. See the list of job titles below, and before you click each link, visualize what this person is like. 

Boxing champion, nurse, CEO, conductor, civil rights activist

• Buse Naz Çakıroğlu: A Turkish boxer known for her contributions to women’s boxing in Turkey and internationally.
• Luther Christman: An American nurse, professor of nursing, university administrator, and advocate for gender and racial diversity in nursing.
• Indra Nooyi: An Indian-American business executive who served as the CEO of PepsiCo, known for her leadership and advocacy for diversity and sustainability.
• Nisan Ak: Selected as one of the thirty most inspiring people under the age of thirty by Forbes Turkey in 2019, Nisan Ak is a rapidly rising conductor from Istanbul.
• Rosa Parks: An African-American civil rights activist known for her pivotal role in the Montgomery Bus Boycott, sparking the civil rights movement.

When you are aware of certain assumptions you hold, you can make a conscious choice to break any limitations you have and overcome bias.

The post Women’s History Month: Meet Şeyma Kara, Invicti’s Director of Engineering appeared first on Invicti.

In his ebook Prompt Injection Attacks on Applications That Use LLMs, Invicti’s Principal Security Researcher, Bogdan Calin, presents an overview of known prompt injection types. He also looks at possible future developments and potential mitigations. Before you dive into the ebook with its many practical examples, here are a few key points highlighting why prompt injections are such a big deal.

Magic words that can hack your apps

Prompt injections are fundamentally different from typical computer security exploits. Before the LLM explosion, application attacks were typically aimed at getting the application to execute malicious code supplied by the attacker. Hacking an app required the right code and a way to slip it through. With LLMs and generative AI in general, you’re communicating with the machine not using precise computer instructions but through natural language. And almost like a magic spell, merely using the right combination of words can have dramatic effects.

Far from being the self-aware thinking machines that some chatbot interactions may suggest, LLMs are merely very sophisticated word generators. They process instructions in a natural language and perform calculations across complex internal neural networks to build up a stream of words that, hopefully, makes sense as a response. They don’t understand words but rather respond to a sequence of words with another sequence of words, leaving the field wide open to “magic” phrases that cause the model to generate an unexpected result. These are prompt injections—and because they’re not well-defined computer code, you can’t hope to find them all.

Understand the risks before letting an LLM near your systems

Unless you’ve been living under a rock, you have most likely read many stories about how AI will revolutionize everything, from programming to creative work to the very fabric of society. Some go so far as to compare it to the Industrial Revolution as an incoming jolt for modern civilization. On the other end of the spectrum are all the voices that AI is getting too powerful, and unless we limit and regulate its growth and capabilities, bad things will happen soon. Slightly lost in the hype and the usual good vs. evil debates is the basic fact that generative AI is non-deterministic, throwing a wrench into everything we know about software testing and security.

For anyone involved in building, running, or securing software, the key thing is to understand both the potential and the risks of LLM-backed applications, especially as new capabilities are added. Before you integrate an LLM into your system or add an LLM interface to your application, weigh the pros of new capabilities against the cons of increasing your attack surface. And again, because you’re dealing with natural language inputs, you need to somehow look out for those magic words—whether directly delivered as text or hidden in an image, video, or voice message.

Keep calm and read the ebook

We know how to detect code-based attacks and deal with code vulnerabilities. If you have an SQL injection vulnerability that allows attackers to slip database commands into your app, you rewrite your code to use parameterized queries, and you’re usually good. We also do software testing to make sure the app always behaves in the same way given specified inputs and conditions. But as soon as your application starts using an LLM, all bets are off for predictability and security.

For better or worse, the rush to build AI into absolutely everything shows no signs of slowing down and will affect everyone in the tech industry and beyond. The pressure to use AI to increase efficiency in organizations is real, making it that much more important to understand the risk that prompt injections already pose—and the far greater risks they could pose in the future.

The post Never trust an LLM: Prompt injections are here to stay appeared first on Invicti.

Navigating the DAST maze

First things first: dynamic application security testing (DAST) covers all types of security testing done on a running application, whether manual or automated. But in cybersecurity jargon, “DAST tool” is a common term for a web vulnerability scanner—and because these vary widely in maturity, purpose, and effectiveness, things can get confusing. Generalizing a bit, there are three informal categories of DAST tools:

• Pentesting scanners: Single-user scanners designed for ad-hoc scanning to find potential issues for further manual testing
• Basic automated scanners: Legacy products that often struggle with modern web applications, leading to low-quality results
• Comprehensive DAST solutions: Dedicated products designed for automated vulnerability testing and constantly maintained to keep up with current web technologies

Which type of tool is right for you depends on your specific use case. For example, a scanner that does the job perfectly well for a penetration tester might flood developers with false positives if you try to automate it into the pipeline. Conversely, a full-on enterprise solution with automation and integration might be overkill if you only need to scan one site. But looking beyond specific product categories, there are only two types of DAST tools: those critical for your application security and those that merely tick your “DAST” box.

The checkbox trap

Vulnerability scanning is not only a best practice but often an explicit compliance requirement. When seen alongside all the other requirements, DAST can get relegated to a checkbox that needs ticking, regardless of scan accuracy or usefulness for your specific organization. This can be especially tempting when DAST is bundled cheaply with other cybersecurity tools, or when someone says “let’s just use an open-source scanner, it’s free.”

The checkbox approach to DAST leaves organizations vulnerable and increases their risk profile while giving a false sense of security. After all, we have DAST, so we’re good, right? Well, no—the whole point of security testing is to find and eliminate vulnerabilities. Merely having a tool doesn’t improve your security. Neither does running scans that don’t find anything. And neither does getting vulnerability reports that are useless for remediation.

DAST that works as advertised can change your entire application security game. DAST that doesn’t can be worse than no DAST at all.

You can’t automate inaccurate results

The fundamental challenge with automated dynamic testing is ensuring accuracy at every stage of scanning. If the crawler isn’t accurate enough, some targets won’t be tested at all. If the scan engine isn’t advanced enough, the targets that do get tested might slip away with undetected vulnerabilities. And if the reporting and prioritization aren’t up to par, users may be flooded by false positives and other non-actionable alerts.

With ineffective crawling and testing, the scanner will report too little or nothing at all, potentially creating a false sense of security. You might think that the scanner hasn’t found any vulnerabilities because your app is so secure when, in reality, nothing was found because most of the app wasn’t tested. This is a typical problem with legacy tools that can’t cope with modern authentication requirements and JavaScript-heavy dynamic applications.

Once the scans are complete, accurate reporting means presenting the user only with relevant findings. With a pentesting scanner, returning lots of uncertain results might be useful during ad-hoc manual testing but is poison for any automation attempts. Having a security expert sift through dozens of suspected vulnerabilities is one thing, but asking developers to do this, especially in automatic tickets, will cause them to start ignoring security issues after the first few false positives.

Far from being a saving, taking shortcuts to check the DAST box can cost you time and money for no material security improvements.

There’s no such thing as a free DAST

Automated web vulnerability testing requires years of non-stop research, development, and maintenance to get exactly right on real-life applications and tech stacks. This means not only frequent updates to security checks but also constantly refining the scanner and its configuration options to make sure it works across a variety of unique application environments. And unless somebody else is putting all that work into the product, you could find yourself footing the bill for trying to do it internally.

One issue with check-the-box bundled scanners is they are often unmaintained and treated as a sideshow by the vendor, leaving your teams scratching their heads to get scans working and somehow integrate the tool into their workflows. As an example, a tool that is technologically ten years old will struggle when confronted with SSO authentication, at best requiring manual hand-holding to authenticate the scanner and at worst completely failing to crawl and scan pages that require authentication—leaving you with lots of working hours wasted.

The same goes for workflow integrations. Because they are not designed with automation in mind, basic DAST tools require lots of work on building custom integrations and fragile data ingestion scripts. And after spending time and money on integrating them, you might find that the results now being pumped into your systems are unusable, again resulting in wasted effort with little to show for it. 

Getting value from DAST

Every organization needs a DAST tool to scan its applications for vulnerabilities in production, development, or both. When choosing the solution that’s right for you, ask not only about the upfront cost but also the time and cost of getting measurable value out of it. For DAST in particular, vendor support can make or break your scan effectiveness and time to value. To act as a critical pillar of your application security program, DAST needs to be set up as quickly as possible, fine-tuned to safely scan every corner of your application environment, and deliver actionable reports for remediation.

Ultimately, it’s the difference between “Here’s the tool, deal with it” and “Let’s get you finding and fixing vulnerabilities as soon as possible.”

The post More than a box to tick: Meet the real DAST appeared first on Invicti.

The prestigious award recognized GuidePoint Security’s impressive 151% year-over-year growth between 2022 and 2023 as an Invicti partner. This growth underscores their dedication to helping organizations transform and improve their application security strategies. 

Additionally, they made an upward move to the Elite tier in Invicti’s Accelerate Partner Program, which provides top-performing partners like GuidePoint Security with benefits that will help them reach even more organizations in need of web application security. 

“We’re thrilled to accept the North American Partner of the Year award from Invicti Security. With modern software development needing to move at the speed of business, organizations are challenged to scale security to meet that demand. GuidePoint Security is committed to ensuring our customers stay ahead of evolving threats by being a security partner you can trust in the AppSec landscape,” said Mark Thornberry, SVP, Vendor Management, GuidePoint Security.

“We work very closely with the regional AppSec Practice Leads at GuidePoint Security, which brings a level of cohesiveness to our joint sales and marketing efforts and allows us to better serve customers and prospects with the solutions they need most,” said Alvaro Warden, Director of Global Channels and Partnerships at Invicti. “We are thrilled to honor GuidePoint Security with this award and welcome them to the Elite tier of our Accelerate Partner Program, and we couldn’t be more excited heading into FY24, continuing to build upon the success we’ve seen together through the partnership.”

The refreshed Accelerate Partner Program showcases Invicti’s continued investment in the growth of its channel. The program empowers partners to take on more sales and value-driving initiatives, benefiting organizations looking to secure their landscape of web applications and APIs. Invicti continues to invest in providing a strong combination of accuracy, coverage, speed, and scale for their customers’ application security needs. This is highlighted by its proof-based scanning capabilities which verify 94% of severe, direct-impact vulnerabilities with 99.98% accuracy, expediting the prioritization of issues for remediation. 

About Invicti Security

Invicti Security—which acquired and combined DAST leaders Acunetix and Netsparker—is on a mission: application security with zero noise. An AppSec leader for more than 15 years, Invicti provides best-in-DAST solutions that enable DevSecOps teams to continuously scan web applications, shifting security both left and right to identify, prioritize, and secure a company’s most important assets. Our commitment to accuracy, coverage, automation, and scalability helps mitigate risks and propel the world forward by securing every web application. Invicti is headquartered in Austin, Texas, and has employees in over 11 countries, serving more than 4,000 organizations around the world. For more information, visit our website or follow us on LinkedIn.

###

Media Contact:

Kate Bachman
Invicti Security
kate.bachman@invicti.com

The post Invicti recognizes GuidePoint Security as 2023 North American Partner of the Year appeared first on Invicti.

Experiments with LLM-based hacking agents

To quickly summarize the paper, academic researchers from the University of Illinois Urbana-Champaign (UIUC) set up a sandboxed test environment with a realistic vulnerable website that contained 15 vulnerabilities of varying complexity. They also prepared ten different LLM-backed agents (bots), with two of the LLMs used being commercial (GPT-3.5 and GPT-4) and the remainder open-source. The agents were all given access to a headless browser to run the vulnerable site, function calling to perform various operations on the site, and a set of publicly-sourced documents about web hacking and vulnerabilities. 

The documents provided to the bots described several vulnerabilities, specifically SQL injection, cross-site scripting (XSS), and server-side request forgery (SSRF), along with general attack methods and approaches—but they deliberately did not include any instructions on how to attack the test website. Through carefully constructed prompts, each of the bots was then instructed to act like a creative hacker to plan and execute a successful attack against the test site.

Without going into the detailed results, while most of the bots failed in their attempts, the one backed by GPT-4 surprised researchers by successfully finding 11 of the 15 vulnerabilities, giving a headline success rate of 73.3%. Due to the unpredictability of LLMs, each bot was given five tries at each attack because, to quote the researchers, “a cybersecurity attack only needs to succeed once for the attack to achieve its goals.”

So, when correctly prompted and provided with access to documentation and external functionality, an LLM-backed bot was able to autonomously plan and perform a realistic attack on a website. This was the big takeaway that got people talking about the beginning of the end of manual penetration testing.

It’s a long way from proof-of-concept to armageddon

While definitely impressive, the research mostly serves to showcase the greatly improved reasoning and function-calling capabilities of GPT-4. Trying to recreate similar hacking bots outside a sandboxed test environment is currently not possible, if only due to OpenAI’s guardrails and terms of use (the researchers obtained an exemption for their work). The paper indicates that GPT-4 succeeded in the autonomous hacking role due to its ability to work with larger prompts and to backtrack across its chain of reasoning to improve with each attempt.

None of the open-source models tested got anywhere close to the far bigger and more advanced GPT-4, suggesting that widespread autonomous hacking based on other LLMs is still a long way away. And even though the past few years have seen rapid advances in AI technologies, the main LLM breakthroughs were only possible due to massive investments by many of the world’s largest tech companies, with Microsoft and Google leading the way.

“One problem with current LLMs is because they are so big, they are very expensive to train, so you cannot simply expand what you have or build your own model in-house because it’s not cost-effective,” explains Bogdan Calin. “For example, to get to GPT-5 or GPT-6 will cost much more than GPT-4, but the capabilities won’t grow in a linear fashion. So even if you pay four times as much for the next generation model, it won’t be four times more powerful.”

The present and future of penetration testing

Until a genuine breakthrough in LLM technology comes, fully autonomous hacking bots still seem to reside more in the realm of science fiction. Even so, the security industry needs to be ready if (or when) the day comes. “I don’t think LLM agents are a danger right now because you need very powerful and carefully controlled models like those from OpenAI,” says Calin. “But if someone develops a local model with the same capabilities, it’s unbelievable how dangerous this could be. With a local LLM, you don’t have to pay anybody, and nobody can block you. Then, you can run any number of automated agents, give them hacking tasks, and they will operate all by themselves.”

While it’s a big assumption to make, if LLMs are developed that can match at least GPT-4 in autonomous hacking tasks and if these models are sufficiently small, fast, and cost-effective, the entire cybersecurity landscape and industry could change almost overnight. “I think these types of agents could replace some of the pentesters,” says Calin. “For a start, they will be much cheaper. They can work all the time and quickly adapt to changes and new methods. If a new technique or exploit is discovered, you can just update the documentation and all your bots will use the new method. Such LLM agents could also be very dangerous.”

Unlike hacking bots, automated vulnerability testing already exists

Before we get all sci-fi, let’s keep in mind that while autonomous LLM agents may or may not arrive, advances in automating both offensive and defensive application security are being made all the time. Smarter, more effective, and more intense automated attacks are inevitable in the near future, whether or not LLMs are involved. Preparing for them on the defensive side requires not only better reactive measures but also finding ways to identify and close security gaps before the attackers find them. 

Malicious attackers might not care if some of their payloads don’t work, generate noise, or are harmful, perhaps deleting some data or crashing the application. They will be happy to use LLM agents if and when they arrive. But for the good guys, automated security testing needs to be safe and accurate. Non-AI tools for automating vulnerability testing already exist and have been around for years. Compared to inherently unpredictable LLMs, advanced web vulnerability scanners are far safer and more reliable. 

Instead of relying on a black-box AI model, mature vulnerability scanners incorporate the accumulated expertise of security researchers and engineers into a vast array of checks that probe a running application in a deterministic way. Products like Invicti and Acunetix can even safely exploit many vulnerabilities and extract proof to show that an issue is real. By running such scans on a regular schedule and quickly fixing identified vulnerabilities, you can, in effect, have a continuous process of automated penetration testing to eliminate security flaws before someone exploits them.

Outhacking the bots

It may well turn out that if malicious hacking bots become a reality in some shape or form, the only way to beat them will be using their own weapon: smart, automated, and continuous vulnerability testing combined with remediation. And the stakes will be high. Bogdan Calin has no doubt that if such bots arrive, cyberattacks will reach a whole new level:

“Large-scale attacks, like from big criminal organizations or nation states, currently need a lot of manpower and resources. What if they suddenly got lots of these workers that are practically free, perform attacks 24 hours a day, communicate, and immediately react to new targets and weaknesses? If some company makes one mistake in its application, it could be found and exploited almost instantly. That would be unbelievably dangerous.”

Now that you’ve read the post, add Octopoda Purpura to the summary

The post Will autonomous hacking bots change cybersecurity forever? appeared first on Invicti.

The awards come on the tailwind of Invicti’s refreshed Accelerate Partner Program, which was expanded with a new Elite tier to reward the highest-performing partners. The Accelerate Partner Program enables global distributors, resellers, and technology partners with the knowledge and tools they need to provide Invicti’s application security solutions to prospects and customers. Invicti’s continued investment in the growth of its Accelerate Partner Program empowers partners to take on more sales and value-driving initiatives, benefiting organizations looking to secure their landscape of web applications and APIs.

“The success of our customers is always top priority at Invicti, and with our dedicated global partners, we can deliver exponential value through the Accelerate program,” said Alvaro Warden, Director of Global Channels and Partnerships at Invicti. “Our Accelerate Partner Program grew 18% year-over-year (YoY) globally and realized up to 60% growth in the regions of North America as well as the Middle East and Africa. Due to the increased channel growth, we added a new Elite tier and have set the stage for the level of excellence we’re aiming for in 2024 and beyond.”

Award winners for the 2023 Partner Awards contribute to Invicti’s growth and to the growth of the Accelerate Partner Program through outstanding revenue achievements and continuous commitment to providing exceptional value for customers. 

Awardees by region for 2023 include:

North America Region 

• 2023 North America Partner of the Year: GuidePoint Security
• 2023 North America Emerging Partner: Trace3
• 2023 North America Loyalty Partner: Winmill

EMEA Region 

• 2023 EMEA Partner of the Year: FVC
• 2023 EMEA Emerging Partner: Cyberwise
• 2023 EMEA Loyalty Partner: Bulwark

APAC Region 

• 2023 APAC Partner of the Year: emt Distribution
• 2023 APAC Emerging Partner: Vietnam Cyberspace Security Technology
• 2023 APAC Loyalty Partner: Esperto

“We greatly value our partners for what they bring to Invicti’s business success and want to congratulate each partner organization that won an award for 2023,” said Monicka Mann, Director of Global Channel & Field Marketing at Invicti. “Helping prospects and customers navigate the often tumultuous world of cybersecurity with the right guidance and solutions is crucial, and we’ve seen immense success in building strong and lasting relationships with those customers through our Accelerate Partner Program.”

The Accelerate Partner Program experienced double-digit growth in 2023 with channel-driven activities enabling 44% year-over-year growth in Q4. These inaugural awards recognize the hard work from partners in 2023 and set a standard of excellence for the procurement and delivery of Invicti’s industry-leading, reliable, and accurate solutions. In 2024, Invicti is committed to continuing to cultivate and support its global initiatives through their best-in-class Accelerate Partner Program.

About Invicti Security

Invicti Security—which acquired and combined DAST leaders Acunetix and Netsparker—is on a mission: application security with zero noise. An AppSec leader for more than 15 years, Invicti provides best-in-DAST solutions that enable DevSecOps teams to continuously scan web applications, shifting security both left and right to identify, prioritize and secure a company’s most important assets. Our commitment to accuracy, coverage, automation, and scalability helps mitigate risks and propel the world forward by securing every web application. Invicti is headquartered in Austin, Texas, and has employees in over 11 countries, serving more than 4,000 organizations around the world. For more information, visit our website or follow us on LinkedIn.

###

Media Contact:

Kate Bachman
Invicti Security
kate.bachman@invicti.com

The post Invicti Security Recognizes Global Channel Partners with Inaugural Awards appeared first on Invicti.

Most crime-fighting forces also operate under asymmetric conditions, where a finite number of police and similar units face any number of criminal threats—with the additional handicap that criminals don’t have to obey laws, rules, and regulations.

In both cases, the resemblance to cybersecurity is striking. Organizations worldwide are also locked in an asymmetric struggle where the attackers could be anywhere, strike anytime, and wreak costly havoc with disproportionately smaller resources. But compared to physical security, the asymmetry is even greater, and current advances in AI are likely to give the attackers even more firepower. 

The modern-day defender’s dilemmas

We’ve written about the defender’s dilemma before—the idea that an attacker only has to succeed once while the defender has to succeed every time. This holds especially true for defending against data breaches, where one point of entry might be all it takes to gain a foothold and steal sensitive information. With the overall attack surface of a modern organization potentially spanning thousands of components spread across multiple logical and physical layers, finding one gap is much easier than tightly locking down many sprawling information systems. 

Catch me if you can

Compared to the physical world, a small action can have disproportionately large effects in cybersecurity. Even though cybercriminals often operate in organized groups, even a single person can cause extensive disruption and damage to entire organizations—especially when attacks are performed and amplified via automated botnets.

Adding to the force asymmetry is the relative impunity of attackers. The vast majority of cyberattacks don’t require physical access and are performed remotely, with the attacker operating from another region or even another country. Sure, you can often track down the connection and retrace an attacker’s steps, but cases where an individual is linked to a specific attack, located, arrested, and convicted are vanishingly rare in proportion to the global volume of attacks.

Tracking down the perpetrators becomes even harder when you factor in geopolitics. It’s common for attackers to operate from or via countries that give them free rein to hack organizations and states considered hostile for political reasons. Going back to the military analogy, somebody is taking potshots at you, and there’s nothing you can do to stop them.

Shower you with noise

The other big asymmetry is that defenders have to be ready all the time while also being constrained in their actions. For example, if your application is being pounded by invalid requests that you suspect to be probes or attack attempts, you have to be careful and selective with filtering and blocking because you might affect legitimate traffic and impact business. Apart from manual operations that require stealth, attackers don’t have to worry about inaccuracies, invalid requests, and not breaking anything, especially when running botnets that deliberately spray randomized traffic to see what sticks.

Cloudflare’s State of Application Security report for 2023 showed that “HTTP anomalies” make up 30% of all HTTP traffic blocked or otherwise mitigated by their WAFs. The sheer volume shows that these are not malformed requests caused by occasional glitches but deliberate attempts to flood servers with invalid traffic—and this is only data from one provider, and only for requests that were caught successfully. This is the level of noise that defenders have to contend with around the clock while attackers pick their time and place to strike. 

The AI amplifier

Advances in AI technology in the past few years have given powerful new tools to everyone, but I’d argue that so far in cybersecurity, the new AI superpowers have benefitted attackers far more than defenders. Again, this is because attackers don’t have to worry about inaccuracies or occasional errors, so researching, preparing, and executing attacks at scale becomes far easier. If you’re asking an LLM for ten possible attack payloads and intend to use them maliciously, you probably won’t mind if only one of them actually works and won’t care if another one breaks something or causes data loss.

AI-assisted development is another area where inaccuracies matter far less to attackers than to teams building production applications. LLM-based code assistants further lower the barrier to entry by making it far easier and quicker to develop malware and payloads that might not be perfect but work just well enough for one attack. Because LLMs deal with natural language, they’ve also been put to use for social engineering, greatly improving the quality and plausibility of phishing and other malicious messages. And again, even if the result doesn’t make perfect sense, it might be good enough for one attack.

Apart from text-based tools, cybercriminals have also turned to AI-generated audio and video to amplify their scamming abilities. In the last few years, there have been multiple reports of scams that use AI voice imitation to aid social engineering attacks. Recently, this approach was taken to the next level when voice imitation was combined with deepfake video to spoof an entire video call with a CFO and other company staff, convincing the victim to transfer a large sum of money to the attackers. There are also stories of AI image generation being used to successfully fake IDs in identity verification processes, opening up a whole new avenue for scams in the digital and physical realm.

For all the hype but also genuine innovation, it’s best to see AI as a massive amplifier of existing capabilities—and with the asymmetry inherent in cybersecurity, AI is amplifying that asymmetry.

Catching up with the bad guys

The painful reality is that existing LLM-based AI solutions are extremely useful to attackers yet all but useless to defenders, especially when you need to respond in real time. Security teams are being overwhelmed by noise, and AI helps the attackers crank up the volume even further, but all is not doom and gloom. For now, AI mostly gives the attackers a quantitative rather than qualitative edge, so working smart and relentlessly cutting down on the noise is the way to keep up.

The key is to truly follow well-defined security best practices and find ways to make them a reality instead of an aspirational goal that can never be attained. Automation is crucial for making this happen, but only where you’re not automating unnecessary steps or acting on uncertain data. While AI can be a great help here, be wary of directly acting on data from LLM-based products, as this always carries some degree of uncertainty and, therefore, noise. For tasks like prioritization, machine learning (ML) approaches can be far more reliable, allowing humans to focus on tasks that make the biggest difference.

The asymmetry in cybersecurity is real, but if we can stop AI from making so much noise, it may help us redress the balance.

The post How AI makes cybersecurity even more asymmetric appeared first on Invicti.

One crucial aspect of the customer experience is knowing that your vendor listens to your feedback and acts on it. This works both ways: without consistent feedback informing the decisions a company makes to improve its solutions, product teams are flying blind on essential updates that can take their customers’ experiences to the next level. In application security, that can mean missed opportunities or critical delays on features customers need as soon as possible. 

What exactly is customer feedback and why is it important? 

It may seem like a no-brainer that talking to your customers about their experiences with your product is essential to building solutions that deliver real value, yet not every organization takes this as seriously as they should. Product feedback delivered from the customers who know your tools and use them every day is critical to delivering what your users need most and important for prioritizing their requests. But what exactly qualifies as customer feedback?

Feedback can take various forms, from feature requests to bug information and reviews of the overall user experience—we love speaking with customers about their application security strategies, including problems they face day to day, and working together to understand how we can help them leap over hurdles. Support tickets may include broader customer feedback that goes beyond a specific issue and could be invaluable for staff outside the support organization. When all this feedback is properly identified, absorbed, understood, and acted on, organizations building critical tools and products continuously improve for their users, as they genuinely take a customer-centric approach to their business. 

How Invicti collects customer feedback and what we do with it

Listening to our customers has always been a top priority at Invicti. We’re always looking to collect feedback around how customers use the tools, what problems they are solving, how Invicti fits the customer’s own strategy, issues and bugs, and the user experience. We conduct interviews, share customer feedback surveys, and keep the communication doors wide open with multiple options for submitting feedback, including email, our Service Portal, and of course our Product Managers and Customer Success Managers. Listening to customers and treating their requests with respect enables us to translate feedback into tangible, valuable changes that make security easier for everyone. 

The product is high-value but so is the organization. In my experience, doing business is about people—security is all about people. My interactions with Invicti have been incredibly positive. They treat every organization with the same level of respect and care; whether you’re a huge organization or a medium organization like Zen Internet, you feel like you are still being treated in the same fashion. I know a great company when I see one.

– Michael Thompson, Information Security Manager, Zen Internet

With the Invicti process for collecting feedback, we make sure that every customer is heard. All feedback is filtered into our product management software where the team has a clear view of which features are requested most often and what the current status is. That way, we can efficiently work toward resolving common requests first and help our customers achieve their security goals faster and more efficiently, delivering the features and updates that matter most to their success. After all, security is about arming the right people with the tools and confidence they need to execute effective strategies. 

The benefits of feedback are far-reaching and long-lasting

While the Invicti team has already seen process and efficiency improvements after continuously refining how we collect feedback, our customers will continue to be the ones reaping the greatest benefits. By gathering, processing, and applying customer feedback, Invicti can:

• Enhance the user experience within our suite of security solutions
• Understand and remediate product issues and bugs efficiently 
• Continue making informed, customer-centric business decisions 
• Enable customer support with the right materials and services
• Know our strengths and understand areas that need improvement

Because each application, API, and environment scanned by our customers poses its own unique challenges, incorporating feedback allows us to continuously make our products even more accurate, scalable, and effective for everyone. Ultimately, these improvements increase ROI for our customers and bolster their security posture in the long run by allowing our tools to be used to their maximum potential. And when we’re able to make an impact on these core activities and incorporate them into our business infrastructure, our customers are much more likely to succeed in achieving their own goals and implementing strong security strategies.

Our goal is to create a closed customer feedback loop—because in cybersecurity, closed feedback loops translate into better security posture and better security solutions for everyone.

The post Customer feedback and continuous improvements: The perfect AppSec match appeared first on Invicti.