[This is a copy of my blog post on the Rapid7 site – https://www.rapid7.com/blog/post/2019/05/02/how-insightappsec-can-help-you-improve-your-approach-to-application-security/]
This is part three of a three-part series on application security. Need to catch up? Check out the other blogs in our series:
Part 1: 5 Considerations When Creating an Application Security Program
Part 2: How to Choose the Right Application Security Tool for Your Organization.
If you compare the way in which modern web applications are built and function today compared to those of many years ago, it’s obvious how much development practices have changed—and how security needs to change along with it. Dynamic frontends, multiple backend services to handle massive loads of data, and the use of a variety of programming languages are all common practices in modern application development and need to be accounted for by security scanners.
Due to the ways apps are built today, static application security scanners simply can’t stand up to the job anymore. This is why dynamic application security testing (DAST) exists. In this post, we’ll explore why modern apps require modern testing and how our DAST tool, InsightAppSec, is leading the way with the most sought-after needs for application security teams.
Related Video: Securing Complex Web Applications with DAST Solutions
Modern scanning for modern applications
Fast-moving applications with many components and programming languages require an advanced approach to testing. A modern DAST can be the ideal solution for today’s applications because it is able to navigate complex backends as well as apps in their running state. This means you have a precise way to understand which web application vulnerabilities or misconfigurations may be lying within so you can be sure it goes out without a major flaw that a static scanner isn’t equipped to find.
Today, applications can be built on just about any platform and in any number of programming languages. Most are built as a collection of multiple services created in sprint-based development models that address one micro-feature after another, stitched together by complex backends. Static scanners have no way of crawling all of these services, let alone put together the results in a meaningful way to help you understand the risks and vulnerabilities.
In simpler times, you could scan a single codebase that encompassed the entire app and get a comprehensive view of everything going on. You could also get away with testing the app during pre-production (in fact, this was really the only way to do it!), but this no longer applies today. Now, applications need to be tested in their running state to see how they’re truly operating and what’s happening that could lead to a security vulnerability.
InsightAppSec: Scanning the latest and greatest
Meet InsightAppSec, one of the most advanced DAST solutions on the market today. We’re constantly adding support for new development techniques and tools to ensure no matter how advanced or complex your web app is, InsightAppSec can crawl it with the greatest level of accuracy to give you useful and actionable data.
For starters, most apps today rely on APIs. We were the very first DAST solution to add an integration for Swagger so that as developers document their APIs, InsightAppSec can understand and effectively crawl it no matter how it’s built. Whereas many security tools dictate how you build your apps to fit their scanners, we’re able to fit our scanners to how you choose to build your APIs. And even if you don’t have documentation (yet), our DAST is sophisticated enough to scan it—but with documentation, the output is even more tailored.
Many applications today are built on single page application (SPA) frameworks, which many static scanners aren’t equipped to scan, since SPAs live in a browser. However, as more developers turn to these frameworks to build websites and applications, it’s becoming critical that they are a part of the scanning process. These are also prime candidates for DAST due to their dynamic nature. InsightAppSec is one of the most advanced scanners for SPA frameworks, as it integrates with Angular 1, 2, 4, 5, 6, and 7, as well as React 15 and 16 and Knockout JS.
InsightAppSec also integrates with automation tools such as Selenium so that as you build out unit tests, we can learn even more about the dynamic frontend and produce even better attacks and results.
Testing is meaningless without accurate discovery
One of the most important (and arguably the hardest) elements of DAST is the discovery process. This is where a web application scanner scanner learns about all the elements of an app so it can effectively attack it. As the saying goes, “You can’t attack what you can’t see,” so if a scanner doesn’t know what exists within the app, it can’t be scanned. This especially highlights why static scanners don’t work for modern apps, but it’s also an important consideration for any DAST solution you use.
InsightAppSec handles discovery particularly well due to our advanced integrations with Swagger and Selenium and our SPA frameworks. These integrations keep our scanner on the cutting-edge of development practices ensuring we never miss an inch of your app. We continue to push the limits of what we can discover because we never want your application to go out without you knowing exactly what’s going on deep inside.
With proper discovery, testing can reveal every detail you need to know about the attack, what was affected, and which techniques worked. This level of detail can be overwhelming to development teams if they are not well-trained in security, which is why we have an Attack Replay feature within InsightAppSec. This Chrome plugin allows the attack to be replayed so the development team can see it unfold visually rather than having to read through complex reports full of foreign words. This enables them to see exactly which elements of the app were affected and where to fix the issue(s). Not only does this make it easier to remediate problems, but it also lends credibility to the security team as it reduces friction and allows both teams to speak the same language.
To see all of these advanced features in action and how you can benefit from taking the most complete approach to web application security testing, check out a demo of InsightAppSec. You even have the option to scan our site for vulnerabilities before scanning yours to give you a taste for the process.