AcuSensor greatly increases the accuracy of our scans and the logs contain detailed information about the location of the vulnerability in source code. This helps our developers find the vulnerabilities and fix them quickly.
Our customer, who has asked to remain anonymous for security reasons, is a global software leader with over 100,000 employees worldwide, developing enterprise software to manage business operations and customer relations. It is one of the world’s largest publicly-traded software companies and was founded in 1972.
Like many major software vendors, our client began by selling on-premises solutions but then fully embraced cloud technologies, becoming a global cloud leader. At the moment, all of their products are web applications (SaaS) and approximately half of them are based on microservices and APIs. Web application security is a major concern that must be addressed at every stage of software development.
Like most large enterprises, our client’s environment is very complex and they rely on multiple security solutions. Their existing web application security solutions were not thorough and precise enough, so they approached Acunetix to learn more about our unique AcuSensor IAST technology. They wanted to scan their APIs early in the SDLC using IAST. The challenge was to fully automate the process in a very complex environment that includes custom solutions.
The customer wanted to test their APIs at the earliest possible stage by running scans as part of CI/CD pipelines. To do this, they created 10 specific target environments to be used to test APIs in development. These target environments are containers where the Jenkins CI/CD platform deploys the API to be tested.
Nine of the customer’s targets have a fixed URL, but one of them is used for microservices that cannot be simply deployed to the fixed-URL targets. The tenth target is based on a fixed proxy server that routes HTTP traffic from the proxy port to the target instance of the microservices application in the CI/CD environment.
A common Docker image is created for all test targets. This Docker image stores the acusensor.jar and aspectweaver.jar files. The deployment environment either uses this image as an intermediate stage to copy the required files into the target deployable Docker image or relies on Kubernetes init containers to copy these two key files into the target environment.
Once the Docker image with the API is ready for testing, the Jenkins pipeline updates the predefined Acunetix target. It uses the Acunetix API to replace the current definition with an appropriate Swagger file for the API being tested and to configure custom headers to include application-related authorization details. Then, Jenkins runs the Acunetix+AcuSensor scan using the Acunetix API.
Once the scan is complete, the Jenkins pipeline accesses the scan result to get the vulnerabilities. The Jenkins pipeline does not use the Acunetix API to create the tickets. Instead, it has its own logic and customized Jira fields to create Jira tickets. The ticket criteria match Acunetix confidence 100 or CVSS >=7.
While Acunetix provides vulnerability management functionality, the client chose not to use these capabilities due to having a centralized vulnerability management solution. Therefore, vulnerabilities are tracked in the internal vulnerability management system that is fed using detailed Acunetix logs as well as Jira tickets.
"The issues detected were of major impact, if users/hackers would have found the security holes, they could have hacked an entire Joomla! site."Robin Muilwijk Quality and Testing Team
"Acunetix is used in a complementary way with other Web Scanners to achieve the best vulnerability detection coverage possible"Nicolas Pougetoux Manager of the Audit Department
"Having used Acunetix since 2009, we find it an essential tool in protecting our interior critical systems and helping our customers protect their own systems."Chen Chiu Lin Researcher