Contact Us




Change Locale

In Our Customers’ Words: Mastering Application Security Basics Matters

Uncategorized | Posted on August 28, 2018 by schap

In a recent conversation with a Rapid7 application security customer, I was reminded how much of a security practitioner’s day can be consumed by troubleshooting buggy tools and manually executing the same tasks over and over again (needlessly, may I add). As much as we’d like to think that security professionals’ time is being efficiently utilized, oftentimes inadequate tools, a lack of automation, and organizational silos impede SecOps-driven progress. As an application security vendor, we like to remind security practitioners that sometimes, just getting the basic things right can help immensely.

Enter Rapid7 Application Security

In this conversation, the customer emphasized that the biggest value-adds provided by Rapid7 application security are more sensible in nature compared to the more technologically-opaque offerings and overly-hyped innovations pushed by the security market today. (Machine learning and AI, anyone?) Keep in mind that this isn’t for their lack of experience or know-how: This user is solely responsible for the application security testing of a multi-billion dollar, global enterprise with tens of thousands of employees and hundreds of web applications.

Interested in drilling down to what this particular customer appreciated most from Rapid7’s dynamic web application security testing (DAST) offering? The list included:

  • Transparency into what the scan engine is doing while executing a scan
  • Incremental scan results provided in scenarios when a scan has to be stopped due to other priorities
  • Detailed HTTP request and response traffic for each vulnerability finding, enabling superior validation and root cause analysis
  • Attack Replay, which allows vulnerability findings to be validated directly from reporting without additional scans

AppSec as Agile as Your Environment

Given the complexity of today’s modern web applications, the automated crawling and attacking performed by DAST tools to identify vulns can take hours or even days. Surprisingly, not all DAST tools provide logging detail beyond “scan started” when executing a web app scan. The ugly truth? This means a scan could be running for 48 hours, and you could have no idea if a scanner is actually generating results or simply just hung.

Furthermore, what if that long-running scan needs to be canceled in favor of a higher-priority scan that must be executed ASAP? You would expect that any results generated up until the scan was canceled would still be available so that the interrupted scan wasn’t a total waste of time. Again, this capability isn’t always guaranteed by all DAST tools.

Application vulnerability findings should include more than just generic remediation recommendations and links to OWASP and CWE documentation; although (somewhat) useful, this context barely scratches the surface when it comes to vulnerability validation and root cause analysis. Simply providing transparency into how the scanner generated a finding—that is, the raw HTTP request sent by the scanner and the response returned by the application, are essential artifacts for determining 1. if a true vulnerability exists, and 2. the technical information needed for developers to create a source code patch. DAST tools save precious time by automating the attacks a manual pen tester would use to test an application for vulnerabilities; however, that automation should be able to provide enough transparency to allow an analyst to understand how exactly a vulnerability was identified.

Finally, Attack Replay is a powerful, time-saving feature that allows consumers of Rapid7 reports to re-send the original attack traffic generated during the scan to validate vulnerability findings and test source code patches. Our interviewed customer, being the only dedicated AppSec engineer, found this feature to be invaluable in reducing the amount of back-and-forth—and ultimately time spent on unnecessary scans—with developers as they work on security bug patches.

Conversations with customers are always enlightening, and the passion of our users never fails to impress. This particular conversation shined a spotlight on how innovations in security technology can be game-changing, but it’s often the smaller, user experience-driven features that make a vendor’s solution stand out.

This article was originally published here.


Related Articles

“A people without knowledge of their past history, origin and culture is like a tree without roots.” – Marcus Garvey

Culture | April 9, 2019 by Kelly Breedon

Softchoice is very proud to have been named to the Great Place to Work Institute’s first ever list of Best Workplaces for Giving Back. This list recognizes organizations with a strong employee commitment to giving back, and a robust range of programs that support positive change in their communities. Taking care and giving back are […]

When we talk about Digital Transformation, three key topics always come to the fore: optimizing IT investments, enabling end users, and IT agility. On a granular level, these three factors form an axis of issues companies must deal with when making the digital leap. At our recent roundtable dinner in Boston, we sat down with […]