Version 2.2 - August 2020

Venari 2.2 Adds role-based access control and the ability to control permissions and application data access via new user and group features. New traffic import features enable automatic template generation with default variables. This auto-templating allows full control over the payloads and parameters applied during traffic playback.

Scheduled scans are now configurable from the Venari UI and maintenance windows can be specified so that scans are prevented/suspended during user-definable time spans. Data exports and integrations have been extended with a new compliance reporting framework and the ability to send results as PDF emails and to export job data to ELK.

As with every release, Venari 2.2 expands the set of vulnerability detections via new analysis engine updates and rules.

Highlights

• Role-Based Access Control with Users, Groups and Roles
• Scheduled Scans
• Compliance Framework and OWASP Top 10 Compliance Report
• Auto-Generate Templates for Imported HTTP Traffic
• New Exports
• New Vulnerability Detection Rules

Role-Based Access Control with Users, Groups and Roles

Customized access to applications with specific allowed operations can be achieved using the new Users, Groups and Roles features. The example below shows the following configuration:

• An application groups called Financial (Sec Analyst) is created

  • A banking application and an ecommerce application are added to it
  • The role of Security Analysts is associated with this group

• A new user joe.tester@example.com is created and given access to the Financial application group created in the previous step

Create Application Group

Create User and Assign to Group

Scheduled Scans

Scans can be run on a configurable schedule with optional blacklisted time spans.

Compliance Framework and OWASP Top 10 Compliance Report

Version 2.2 features a new compliance framework and a formatted OWASP Top 10 compliance report.

The screenshots below show the first few pages of a compliance report.

Auto-Generate Templates for Imported HTTP Traffic

Raw HTTP traffic can now be imported from sources such as Burp, Fiddler or HAR files and can be automatically templated during import. The screenshots below show the result of importing a HAR file collected from the Chrome network tab.

Note the replacement of hard-coded values from the wire traffic with {template} syntax

Note the creation of variables to the default values derived from the imported traffic

New Exports

Version 2.2 allows data to be sent to ELK (Elasticsearch, Logstash and Kibana) and for generated PDFs to be automatically emailed.

New Vulnerability Detection Rules

New AppSec rules include:

• Unrestricted failed logins
• Unrestricted file upload
• XSS weakness
• Drupal
• Open API definition inspections