Vulnerability scanning is a process where an automated program is looking for vulnerabilities and security misconfigurations in your web application or network.

Usually, vulnerability scanners execute a predefined workflow to identify any exploitable vulnerability type.

Once a vulnerability scanner has found and verified a valid security flaw, it creates an alert and reports the finding accordingly.

False positives are an incorrect indication of the presence of a vulnerability. For example, a vulnerability scanner may notify you of a Reflective Cross-Site Scripting (CWE-79) vulnerability available as it was successfully able to inject a payload in a document with a non-executable content type (like text/plain). However, the payload will unlikely work as the browser won't render the response as HTML.

We solve this issue by validating every vulnerability found before notifying you (so you don't have to get excited and later realize that it was for nothing).

Most (vulnerability) scanners can contain false-positive results. We can easily remove them from your results as we pass them to our robust Validator Engine. A service capable of validating all types of vulnerabilities before determining their presence and exploitability in a real-world scenario.

This truly depends on how big and complex your web application or API is and your scan configuration.

Yes, we even encourage you to do so to uncover any hidden security flaws that may have had devastating effects if they're left untouched. You can set request headers (including the Cookie and/or Authorization header) when starting a new scan.

You can scan your web application as many times as you want.

However, we do recommend you at least scan your web application each time you push new code.

Throughout our years of experience as web app penetration testers and bug bounty hunters

We sometimes used third-party vulnerability scanners to automate some of our workflows, and it didn't work out well for us.

We had times when we found vulnerabilities while some vulnerability scanners just couldn't, even after pointing out where to scan.

This never allowed us to put our trust in vulnerability scanners. And we found that this should change.

Today, Nova Security is capable of finding vulnerabilities in various contexts, vulnerabilities that otherwise would've been left undetected by other scanners.

That is one key element that sets us apart from our competitors. It's our unfair advantage.

Yes! We have an API in place for you to use in your development cycle.

This will allow your team to fully automate the vulnerability scanning process. Including the creation of support tickets on Atlassian JIRA, GitHub Issues, etc.!

No, we give you the option to set a rate limit to not put excessive load on your client's server(s).

Nova Security is a European-based business and we take privacy seriously. We do not process any of your private data for our own gains nor do we sell it to third-parties. One of our core values is "Privacy", and you will always have full control over your data.

Yes, by default, your data is encrypted at rest (AES) and in transit (TLS).