FAQ

Can NightVision scan applications deployed on our corporate VPN or publicly accessible applications?

We can scan applications or APIs on your private cloud or on-premises as long as you can reach out to our API. You don’t need to expose your application to the internet. Our tool uses a GoLang binary that can run within your GitHub Actions runner against http://localhost:3000, or it can scan an application at a URL like http://internal.company.com. We can scan in either of those scenarios.

Related: Smart Proxy Architecture

For more information on Network Accessibility, see our documentation on Smart Proxy Architecture and Deployment Scenarios

Does NightVision require access to our source code? Does NightVision upload any code?

When using our API Envy product, we upload metadata about the code, such as whether there’s an endpoint for a REST API. This metadata is used in static analysis within the Golang binary and never leaves your environment, and your code never leaves your environment. The metadata includes the origin in the code in which an endpoint is declared, such as a PostMapping or GetMapping in Java Spring, along with the declaration’s file path and line number. We don’t upload any business logic or actual code.

Can applications handle the traffic?

Our experience is that applications running on Docker Compose can generally handle a lot of parallel users browsing the site. For example, if we’re running 40 different browsers on an application hosted on Docker Compose on an EC2 instance, it’s not likely to go down. In general, most applications should be able to handle that level of parallel browsing without issue.

Can NightVision handle a WAF?

We don’t have an issue with testing applications with a WAF, but we recommend testing applications without a WAF or in a staging environment. Our strengths lie in the CI/CD pipeline, where we can quickly test tools deployed locally with tools like Minikube and Docker Compose or in staging environments.

NightVision primarily focuses on testing the application itself and finding vulnerabilities within it rather than testing the effectiveness of the WAF rules. While testing your WAF rules in a production environment is still important, NightVision can be a valuable tool for detecting vulnerabilities within your application before they’re exposed to potential attacks.

That said, we recommend testing your application in a staging environment or a version without a WAF, as this can allow for more accurate testing. Ultimately, it’s up to your team to decide the best approach for your specific application and security needs.

Do we need to authorize any IP addresses to use NightVision?

If your company uses a corporate firewall, yes. You should authorize the following IP addresses:

44.210.184.14
3.210.133.44
18.210.3.10
52.207.103.176
52.201.44.112
50.17.248.188

What are those IP addresses?

The addresses are the NightVision AWS NAT Gateway IP Addresses. The NightVision command line must be able to communicate with those IP addresses in order to connect with the Smart Proxy.