Hesk Developer Uses Invicti to Automate Web Application Security
I have a hard time finding any negative aspects to Invicti Enterprise. It is hands down a great tool — all you could wish for from an automated web security scanner. Easy to use and detailed with a low false positive rate.
The customer is always right, and we at Invicti could not agree more to this statement. So what could be better than an interview with one of our web scanner’s users? This interview with Klemen Stirn, the project-lead, developer and support team for Hesk, explains why he found Invicti to be a great tool for automating and scaling-up web application security, due to its ease of use and ample support.
Tell us a little more about Hesk and your role in the project.
Believe it or not, Hesk is currently a “one man team”. I fulfill the roles of project-lead, developer and support team. Hesk is free Help Desk Software allowing businesses to setup a web ticket-based customer support system. The philosophy behind Hesk is that not everyone needs a large and complicated customer support software, there is a need for a small and simple alternative.
Are you able to provide some specific details about the size and scope of Hesk?
Sure, I’ll do my best! Because Hesk is anonymous to download, determining an exact user-base is a little tricky. Looking at the Google Analytics data and download statistics, I would estimate that there are somewhere between 50k-100k installations and active users.
So clearly you have a significant user-base who rely on Hesk being secure. What else can you tell us about the application itself?
I started development of Hesk back in 2005. It was a long, slow process that involved adding both features and functionality over time. I wrote Hesk from the ground up without relying on any framework and I use only a handful of third-party libraries (including HTML purifier, POP3/SMTP and Javascript). At this point in time, the application has over 100k lines of code and growing.
Prior to Invicti Enterprise, how did you approach and deal with the challenge of web application security?
It has been both a challenge and a learning process. Obviously, I needed to pay close attention to any code or application functionality that might result in potential attack vectors — a time consuming and detail oriented process.
It has also helped that Hesk ships with source code. As a result, I have benefited from several third-party code reviews performed by pen testers. As well, several vulnerabilities have been reported by Hesk end-users.
How has Invicti Enterprise changed your web application security protocols?
Well, the biggest change is that I now have Hesk installed on a test server. I use Invicti Enterprise to perform full scans as well as any required re-scans. My process now involves using Invicti Enterprise before any new version is pushed into a live environment or made available to the public.
I’ve never relied upon any automated web application security scanners before so this has resulted in a huge improvement in efficiency and confidence.
I’m able to write more secure code because Invicti brings the latest vulnerabilities and best practices to my attention in a timely manner.
I feel more confident that the latest release isn’t introducing new vulnerabilities. Trusting that you’re releasing a secure application (to the best extent possible), makes it easier to sleep at night.
Are there any confirmed and resolved vulnerabilities you’re able to disclose?
Absolutely! Invicti Enterprise found a confirmed XSS vulnerability inside the administrator control panel.
Also, it helped to identify several necessary feature enhancements that included forcing SSL connections, marking cookies as secure and HttpOnly where needed and adding X-Frame-Options tags to assist in preventing Clickjacking.
Do you have any experiences with Invicti support which you’d like to share?
I don’t — which is a good thing. Invicti is very intuitive and easy to use so I’ve never had to rely on support.
What else can you share about your experience with Invicti Enterprise?
Free software is usually backed by a relatively small number of active developers; in the case of Hesk, it’s a “one man show”.
Because of this, any automated tool that performs a highly-specialized task (for example, a web application security scanner) is a godsend.
Invicti Enterprise is one such tool. It was a breeze to setup. I started my first cloud scan in literally a few minutes. This allowed me to spend precious time and resources on other priorities while waiting for the scan to complete.
Scan results are well organized, prioritized and provide verbose information where needed. For example, as a developer, I found the exact HTTP Request and Response very useful for reproducing issues and pinpointing/fixing them.
At times it felt like having someone looking over my shoulder pointing out even the smallest details that need attention; things that may take very little developer effort to fix, but in the end, help to make web applications like Hesk even more secure.
I have a hard time finding any negative aspects to Invicti Enterprise. It is hands down a great tool — all you could wish for from an automated web security scanner. Easy to use and detailed with a low false positive rate.