Netsparker adds IAST support for Node.js | Netsparker
What is Node.js and why is it important?
Why some of the world’s biggest websites use Node.js
While Node.js might not seem a big deal when looking purely at the number of active sites that use it (currently about 1.5% of all websites), over half of all web developers use it. Because the Node.js runtime is heavily optimized for performance, it is the back-end technology of choice for some of the world’s highest-traffic sites, including Netflix, eBay, Uber, and many others. See this post for more Node.js stats, for example that migrating from Java to Node.js can not only bring massive performance gains but also boost productivity and reduce costs.
Getting to the core of application security with DAST+IAST
This is where Invicti’s DAST-driven true IAST approach can help by providing inside information on how security checks and test payloads are processed. A technology-specific IAST agent deployed in the application environment attaches to the runtime during dynamic testing and continuously communicates with the core vulnerability scanner, delivering server-side insights that would normally be inaccessible during a DAST-only scan. For Netsparker, supported server-side technologies include PHP, .NET, Java – and now also Node.js.
New Node.js agent for Netsparker Shark
To get additional details about vulnerabilities found in Node.js applications, you can now deploy a dedicated IAST agent in your Node.js application environment. This is as simple as copying the agent file to your server machine and launching it together with the application you will be testing. Once deployed, the agent will provide the main DAST scanner with extra information about application behavior during vulnerability testing.
Armed with additional IAST insights delivered in vulnerability reports, developers can isolate the location and root causes of security defects more quickly. For example, a DAST+IAST report for an SQL injection vulnerability will indicate not only the file and line of code but also the actual SQL query that was executed during testing. Combined with technical details of the vulnerability and remediation guidance, this helps developers understand why the test attack was possible and how to correctly fix the vulnerability.