Share your experience using WhiteHat Dynamic

I am currently working with several tools. For Fortify, I use SCA and WebInspect. Apart from that, I use Burp Suite from PortSwigger. For API testing, I use Postman with Burp Suite or WebInspect for some applications, while for others I use SoapUI with Burp Suite.

Most of our applications are related to Salesforce, Java-based, or .NET based systems. The applications typically involve forms where users provide their details. After submission, the information flows to two types of portals: a user portal where customers navigate and provide details, and a worker portal where company personnel verify and approve those details. These are the main types of applications I test.

From the DAST perspective, we have multiple features. We can directly provide the URL and it will crawl through all the pages of the web application to find vulnerabilities. If automatic crawling is not successful, we can create a macro of the whole application sitemap and input it into WebInspect for complete auditing.

For older applications with new enhancements, there is a manual crawl facility where we can specifically crawl the new enhancement, and WebInspect will verify it properly while performing minimal crawling or regression testing on the rest of the application.

The solution offers robust session management capabilities. For applications with MFA or username/password requirements, we can provide credentials manually or create a login macro. When the session expires, it will execute the macro to obtain a new session and continue crawling. These features are very practical. WebInspect also includes API testing capabilities, which is particularly useful when proper Burp licenses are unavailable.

Regarding reporting, it generates comprehensive PDF reports with various customization options. It details vulnerability information, affected URLs, and highlights manipulated requests and responses. The report includes an appendix section explaining each vulnerability type, identification methods, potential exploits, and remediation steps. It also groups similar vulnerabilities found across different pages for better organization.

WebInspect works efficiently with Java-based or .NET based applications. However, it struggles with Salesforce applications, where it requires approximately 20-24 hours to crawl and audit but produces minimal findings, necessitating manual verification.

The solution offers customization features for crawling and vulnerability detection. It includes various security frameworks and allows selection of specific vulnerability types to audit, such as OWASP Top 10 or JavaScript-based vulnerabilities. When working with APIs, we can select OWASP API Top 10. The tool also supports custom audit features by combining different security frameworks.

For on-premises deployment, the setup is complex, particularly regarding SQL server configuration. Unlike Burp Suite or OpenText Dynamic Application Security Testing, which have simpler setup processes, WebInspect requires SQL server setup to function.

I have been using WebInspect since I entered the security domain four or five years ago. During this period, I briefly switched to OpenText Dynamic Application Security Testing but returned to WebInspect.

There are deployment issues with the solution.

The on-premises version of WebInspect presents significant challenges. When running crawling and auditing operations, it consumes substantial system memory, making it difficult to use other applications simultaneously. The cloud version functions more smoothly without these resource constraints.

Another issue involves the crawling engine occasionally entering infinite loops. For instance, in an application with 15 URLs, the crawler might get stuck on the tenth URL, causing the scan to continue indefinitely. This problem is specific to the on-premises version due to storage limitations. The on-premises version connects to SQL server with a 9GB limit per scan, causing automatic termination if exceeded.

The solution offers different license tiers based on scalability needs. For 1-9 applications, the license allows crawling or auditing one application at a time. Higher-tier licenses support simultaneous processing of multiple applications, with options available for 10-50 applications and more than 100 applications. The cloud version allows unlimited simultaneous application scanning.

Our organization has been assigned a dedicated support person from Fortify. This vendor representative is highly accessible through various communication channels including calls, chat, and email. However, I cannot speak to the support experience for individual users or organizations with fewer licenses. Since our organization runs multiple projects using Fortify with numerous licenses, we receive prioritized attention from the vendor.

Positive

HCL AppScan offers multi-factor authentication handling, which WebInspect lacks. With WebInspect, we must request the development team to disable MFA, whereas HCL AppScan can automate this process. Regarding Burp Suite, it serves a different purpose as organizations primarily use it for manual testing rather than automated DAST, where they prefer WebInspect, OpenText Dynamic Application Security Testing, or AppScan.

We have implemented WebInspect into the Azure pipeline in one of our projects.

Other

The solution provides various licensing tiers for different scales of operation. For 1-9 applications, single application processing is available. Larger tiers support simultaneous processing of multiple applications. The cloud version enables unlimited concurrent application scanning.

While I am not directly involved with licensing, I can share that our project's license for 1-9 applications costs between $15,000 to $19,000. In comparison, Burp Suite costs approximately $500 to $540 for similar functionality.

The on-premises version of WebInspect presents significant challenges regarding system resource consumption and memory usage. The cloud version offers better performance and stability.

The setup process for on-premises deployment requires SQL server configuration knowledge and can be complex compared to simpler solutions.

The solution offers excellent scalability through different license tiers, supporting various deployment sizes from small to enterprise level.

Based on the overall experience, this solution receives a rating of 8 out of 10.

I use Invicti for web application testing and API testing. I want to confirm that I am still using Invicti and SonarQube.

It has good false positive confirmations, confirmed issues identification, and proof of exploit-related features as part of it. We use Invicti for these things in our portfolios.

The solution includes Proof-Based Scanning technology.

Invicti is part of our SSDLC portfolio, and DAST dynamic testing is very important for our web applications and portfolios. For both the API endpoints and web applications, we do regular testing on a monthly basis for all our releases. Invicti does a good job. The only concern is on the performance side, but other than that, we find it really helpful in identifying web vulnerabilities.

A full scan takes more time based on your website and other factors, but for us, it takes more than two to three days. The scan performance can be improved upon. When we check with them, they discuss proof-based scanning and related aspects. However, there could be intermittent results that could help us.

The main concern is on the performance side, but other than that, we find it really helpful in identifying web vulnerabilities.

A full scan takes more time based on your website and other factors, but for us, it takes more than two to three days. The scan performance can be improved upon.

I have been dealing with Invicti for almost three to four years now, more than three years in general.

The installation and initial setup of Invicti are very straightforward.

I did not see any glitches with the product. When it comes to scanning, sometimes network issues or other factors kill the scan. I cannot point out that it is the product's fault, but otherwise, it was good.

I do not have specific information on scalability, but it should not be an issue because we run many processes across our enterprise using it. We have not found any issues with that.

The technical support from Invicti is good.

If I were to rate support from one to ten, I would give eight to nine points.

Positive

The installation and initial setup of Invicti are very straightforward.

I have used Burp Suite for web application testing for the use cases I mentioned, apart from Invicti.

Those products are different from different perspectives, as per our requirements. If I want to do a manual inspection, I use Burp. I run the scans on Invicti, and then for analysis purposes, I use Burp.

We are a customer, not a consultant, integrator, or reseller.

We have not integrated it into our process. It is good, but we have not done that as part of our process. We run our manual scans, which are scheduled with our schedulers.

The compatibility with various web technologies and frameworks is good. We use many technologies, and it is being managed as part of it.

We did not do that validation. We looked into it feature-wise and based on our requirements, and I find Invicti is good for us.

I do not see anything that they could add, because Invicti caters to my requirements. We need to check out options for AI-related activities and making dynamic testing for users. It is a scan tool that runs the scans, but it is not integrated with a developer-centric model. We need to move more towards that. I have not explored that route with the product. That is one of the things which I feel. Shift-left, moving web application testing towards the developers.

On a scale of one to ten, I rate Invicti an eight.