[A version of this blog was originally posted on September, 24 2014]
It's a well-known fact that it costs less to fix security defects earlier in the software development lifecycle than later. But because most security professionals are experts in security and less familiar with applications, and QA teams are experts in applications and less familiar with security, integrating security testing earlier in the software development lifecycle can be a challenge. Rapid7 is changing that in a big way.
As innovators in web application security scanning, we are always thinking how can we can continue to push ourselves, to continue our innovation and really deliver world class scanning to our customers. One of the things we have done is enhance our web application security scanner, AppSpider (formerly NTOSpider),to integrate with browser automation program Selenium to help companies bridge the gap between software development and security testing.
Here's how it works. First, you may already be familiar with Selenium. It is often used by software development and QA teams to automate the security testing of web applications, and enable users to record a series of events and analyze the results. The AppSpider and Selenium integration enables security teams to automatically detect security defects earlier in the software development lifecycle, such as during the nightly build process. As a result, security teams can improve web application security with minimal additional costs and without the help of development and/or QA teams.
Our latest version of AppSpider supports two methods of Selenium integration:
- It executes the Selenium script directly, while AppSpider is running, to avoid working from a possibly expired session.
- It imports the output of a previously executed script, expediting the testing process.
In addition to improving web application security testing, AppSpider's integration with Selenium can also be used to automate complex authentication solutions and specific application workflows, like shopping cart sequences.
AppSpider offers development/QA and security teams an exciting opportunity to finally close the knowledge gap that often exists between them and develop more secure web applications at a lower cost. If you'd like to learn more about the benefits of integrating web application security scanners with Selenium or how AppSpider can “piggy-back” on the application knowledge built into Selenium, I encourage you to download our white paper, The Case for Integrating Selenium and Application Security Testing.
This becomes even more interesting when you hook all this together with a Continuous Integration solution such as Jenkins. In this model, AppSpider scans are launched against the latest build of the application in a fully automated fashion.
And while the integration of Selenium is an exciting one, we are off and running on our next enhancement. More on that soon!
Until then, scan your apps or face attack!