APPSEC WITH ZERO NOISE
Security is our DNA
At Invicti our purpose is to propel the world forward by securing every web application and API. That doesn’t happen by having insecure systems. Invicti takes active ownership of and interest in our internal security practices because it’s not only what we do, but who we are.
Dedicated Security Teams
Invicti’s Information Security Team focuses on information security, global security auditing and compliance, and defining the security controls for the protection of Invicti’s environments, products, customers, and partners.
DevSecOps
DevSecOps has simply become the expectation in application security. We believe in DevSecOps so much we built a best-in-class DAST solution centered on DevSecOps AND a world-class pipeline for our internal DevSecOps to ensure the products we provide to customers are secure.
Enterprise Compliance
SOC 2 Type 2
Our SOC 2 Type 2 report validates internal controls and systems related to security availability, processing integrity, confidentiality, and data privacy.
ISO 27001:2022
Our Information Security Management Systems meet international security standards in data protection.
Information Security Policy
Invicti’s commitment to maintaining sound information security practices and controls to protect customer data.
Compliance & Technical Security Statement
Our Compliance & Technical Security Statement is an overview of Invicti’s compliance, security practices, and security controls for our products.
OUR SECURITY PROFILE
For more information on our security controls, to view and download policies, certifications, and documents please visit our Security Profile.
FAQ
Is my personal information protected at Invicti?
Yes, we have a security-by-design mindset in all we do. For more detailed information please read our Privacy Policy.
Will Invicti sell my personal information?
No, we do not and will not sell or share personal information with third parties.
What data do Invicti Solutions collect?
Invicti solutions only collect browser data containing HTTP requests and responses, issue information detected on the target application, and authentication data set during the configuration. This data is stored on our On Demand AWS cloud platform or in our customer’s environments if they have an on-premises installation.
How does Invicti use the data it collects?
Invicti uses the data it collects for the sole purpose of providing the services set out in our Subscription Service Agreement. Data Insights are used internally to manage Customer’s license, for benchmarking purposes, to facilitate Customer’s use of the Invicti Solution, and to maintain, secure, develop, and improve Invicti’s products and services. Data Insights are never sold and are aggregated and anonymized when used by Invicti in any external facing capacity (e.g., identifying average false-positive count, improving vulnerability detection and correlation) so as to never identify the Customer, its Users, or any natural person.
Does Invicti use AI/ML?
Yes, Predictive Risk Scoring is a feature in our enterprise products that embraces the power of AI to help AppSec programs gauge the risk of web applications. Based on an AI model, Invicti evaluates discovered assets and calculates a risk score compiled from up to 220 data points, enabling AppSec teams to easily prioritize their highest-risk applications for testing. The scale that AI enables in risk scoring allows a new automated step in the application testing process before scanning resources are allocated.
Predictive Risk Scoring leverages an AI/ML (or risk score) model to calculate the risk of web assets before a scan is performed. The risk score model was trained by scanning a large number (150,000+) of websites that are part of Bug Bounty and/or VDP (Vulnerability Disclosure Program) programs.
From each one of these websites, we computed 220 features/parameters that are correlated with the security posture of the website.
A few examples of the 220 features that are used:
- the website supports deprecated TLS versions like TLS v1.0
- the copyright year of the website (older websites tend to be more vulnerable)
- number of form inputs
- number of XHR requests
- number of cookies not marked as HttpOnly/Secure
For more information, please read our Predictive Risk Scoring is the way for AppSec AI blog article.