Is your Dynamic Application Security Testing (DAST) solution leaving you exposed?
We all know the story of the Emperor's New Clothes. A dapper Emperor is convinced by a tailor that he has the most incredible set of clothes that are only visible to the wise. The emperor purchases them, but cannot see them because it is just a ruse. There are no clothes. Unwilling to admit that he doesn't see the clothes, he wanders out in public in front of all of his subjects, proclaiming the clothes' beauty until a child screams out that the Emperor is naked.
If there is one thing we know for sure in application security, it's that applications continue to evolve. This evolution continues at such a rapid pace that both security teams and vendors have trouble keeping pace.
Over the last several years, there have been a few major evolutions in how applications are being built. For several years now, we have been security testing multi-page AJAX driven applications powered by APIs and now we're seeing more and more Single Page Applications (SPAs). And this is happening across all industries and at organizations of all sizes.
Take Gmail for example, in the image below, you can see one of the original versions of Gmail compared to a more recent versions. Today's Gmail is a classic example of a modern application.
So, as security professionals, we have built our programs around automated solutions, like DAST, but how are DAST solutions keeping up with these changes?
DAST Solutions - The Widening Coverage Gap
Unfortunately, most application security scanners have failed to keep up with these relatively recent evolutions. Web scanners were originally architected in the days of classic web applications when the applications were static and relatively simple HTML pages. While scanners have never and will never cover an entire web application, they should cover as much as possible. Unfortunately, the coverage gap has widened in recent years forcing security teams to conduct even more manual testing particularly of APIs and Single Page Applications. But with over-burdened and under-resourced application security teams, testing by hand just doesn't cut it.
Of course, we don't think manual testing is an acceptable solution. Application security teams and application scanners can and should close this coverage gap with automation to improve both the efficiency (reduce manual efforts) and effectiveness (find more vulnerabilities) of security efforts.
If this is something that interests you, you have come to the right place!
Keeping up with application technology is one of our specialties. The application security research team at Rapid7 has been committed to maximum coverage since AppSpider was created. Our customers rely on us to keep up with the latest application technologies and attack techniques so that they can leverage the power of automation to deliver a more effective application security program.
If your solution isn't effectively addressing your applications and you are looking for a way to test APIs, dynamic clients and SPAs more automatically. Download a Free Trial of AppSpider today!
To learn more, visit www.rapid7.com.
For more information on how to reduce your application security exposure, check out these resources: