2021 – the year in review

As 2021 comes to an end, it is time to sum up the year to see what it meant for Acunetix, Invicti, and the web application security industry.

The rise of Invicti

2021 was the year when Acunetix became a brand of Invicti Security. The company transition has been going on for a few years already and Invicti, as a company, has already made its appearance before. However, only now have we formally brought our two key products together under one wing.

The brand announcement was followed by yet another big bang. Invicti was recognized on the 2021 Gartner Magic Quadrant for Application Security Testing. And that’s not all – this year brought one more huge change to the company: a $625 million growth investment led by Summit Partners.

Despite being yet another difficult year of the global pandemic, for Invicti, 2021 has been a very successful period and one that we hope is just the beginning of our road to expansion.

Acunetix by Invicti

Along with the new name, Acunetix has continued being one of the leading innovators in the web application security sphere. Here are some of the most important features introduced in 2021:

• Our IAST technology, AcuSensor, has now been extended to support yet another web development platform – Node.js. This is a huge milestone for us, especially as Node.js becomes the solution of choice for more and more web applications.
• We’ve also introduced the target knowledge base, which is a self-learning technology. With every scan, Acunetix learns more about its target and is able to scan it even more efficiently next time.
• Thanks to web asset discovery, Acunetix is now able to discover web assets that potentially belong to you but have not been manually added to your list of targets. This technology has many benefits to businesses of all sizes.
• Acunetix is now not only a DAST/IAST scanner but also a software composition analysis (SCA) solution. Thanks to AcuSensor, we are able to discover libraries and components used by your web application and warn you about those that introduce vulnerabilities.
• Last but not least, we have introduced support for HTTP/2, which allows to cater for a whole new class of HTTP/2 vulnerabilities.

Practice makes perfect

We believe in the power of practical examples. That’s why this year we published even more practical guides to help you use Acunetix efficiently:

• We focused heavily on CI/CD integration through the use of our API. You can easily use this method to integrate with, for example, CircleCI, GitLab, GitHub (along with a shifting left scenario), and Azure DevOps.
• If you have many assets and few resources, remediation often has to wait, so you need integration with a WAF for temporary mitigation. You can do it, for example, with FortiWeb and F5 BigIP ASM. We’ve also released a white paper that explains how to get the most out of your web application firewall.
• We’ve also shown practical examples of how to use our existing features, such as the Login Sequence Recorder, as well as new functionality, such as asset discovery, software composition analysis, and Docker support.
• Last but not least, we’ve described some interesting practical implementation scenarios, such as how to manage scans using Python and the Acunetix API and how to deploy AcuSensor for PHP on AWS Elastic Beanstalk. We’ve also provided general guidance on how to secure your APIs using Acunetix.

State of the market

To defend yourself well, you need to know the current threat landscape. That is where our annual web application vulnerability report comes in, this year published for the first time as the Spring 2021 Invicti AppSec Indicator. This report examines the occurrence of the most serious web application vulnerabilities in real-life targets.

Moving forward a few months, we published our Fall 2021 Invicti AppSec Indicator. This report was based on an extensive survey, focusing on the human factor. Some of the shocking news it has revealed includes the fact that 70% of security teams skip security steps.

In addition to creating our own state of the market reports, we also analyzed the newest OWASP Top 10 2021. Surprisingly, we found that our predictions from the year before were spot on.

Last but not least, we’ve prepared a guide for those who already know they need a web application security solution but are not sure which one is best for them. To help you make up your mind, we have given you the Invicti Web Application Security Buyer’s Guide.

Focus on US federal agencies

One of our key focus areas this year has been the US federal government. This is because the Biden administration is doing a lot of good to push towards a more security-conscious approach. This positive trend began with President Biden’s Executive Order on Improving the Nation’s Cybersecurity.

To help federal agencies follow up on this trend, we’ve released a series of articles on the topic that emphasize the importance of web application security for government agencies, help you build DevSecOps when you’re stuck in waterfall development, and show how to handle disruption and embrace resilience.

We also followed up on developments, keeping federal agencies appraised on new deadlines to secure critical software, the publication of the CISA Zero Trust Maturity Model, the update of the FISMA bill, and the new CISA Binding Operational Directive.

Spotlight on developers, shifting left, and MSSPs

While the traditional model of security by security teams is often still applicable, we believe that businesses will be shifting more and more to self-service security models where developers play the key role. Automation and integration allow security teams to focus elsewhere and developers to handle most web application security on their own.

However, going in that direction is not always easy. Developers often have many reasons to shun security and are not even asked for an opinion on how they prefer to handle web application security. There is also a danger associated with developers taking over security – businesses may have a tendency to focus on code security only, not realizing that web application security is much more than that.

Part of the spotlight on developers is the need to shift left. This is another topic we’ve discussed extensively this year, pointing out major benefits of early security testing, explaining why ad-hoc scanning is not enough, and showing how to decide if shifting left is a good idea for a particular business.

For all those businesses that don’t actually do web development, we’ve made sure you can easily find an MSSP that uses a professional web application security solution – we’ve prepared a special licensing offer for MSSPs that makes it easier for them to use Acunetix to provide web application security services to their clients.

More good reads

In addition to all the above, we’ve covered a variety of topical stories, often expressing our strong opinions on the matter. Here are some of the highlights:

• We’ve explained why open-source vulnerability scanning tools are not enough even for smaller businesses and why DIY security is not the best option.
• We emphasized the need to secure the web supply chain to avoid attacks (such as Log4Shell) as well as the need to implement continuous web application security.
• We warned about having a false sense of security in the cloud, hoping that you realize that you are the only one who can secure and protect your web applications and that you shouldn’t build your web application security on excuses.

We hope you’ve enjoyed the blog this year and aim to bring you even more valuable content next year. Happy 2022!