As more and more companies shift the responsibility of security earlier in the software development lifecycle (SDLC), DevOps teams are being tasked with detecting vulnerabilities within their applications. Already scrambling to keep up with the terminology, processes, and technologies of modern-day security, DevOps teams also have to contend with the dynamic complexities of securing web apps. As we explain in this whitepaper, security can be seamlessly layered onto existing DevOps processes and technologies, giving teams confidence that they’re not deploying web apps with unknown vulnerabilities that could expose them to malicious attackers.
In this post, you’ll learn how to gain visibility—wide and deep—into web applications using dynamic application security testing (or DAST).
1. Unify tools and activities: Your bird’s eye view
With more endpoints open to the web, more applications talking to each other, and data points flying in left and right, how can you begin to spot real vulnerabilities? This is the challenge more and more security and DevOps teams are faced with today, and it only multiplies as tool sets grow, each is managed independently from the others, and there are varying user permission levels and data types.
So, how can you get a hold of it all, gain visibility into a myriad of data points and endpoints, and effectively protect your operations? And how can you monitor all of this while your applications are running? (No word makes your other stakeholders cringe like “downtime.”) This is where DAST solutions like AppSpider come in. Able to integrate with modern DevOps tools, they serve as the unifying layer to streamline and simplify web application security for DevOps pros.
With a single place from which to monitor for anomalous security activities, it’s a lot easier for a security novice like a DevOps pro to gain deep visibility and quick insight into potential security issues, without having to do so manually across 10, 20, 30, or more tools.
2. Translate and normalize events: Making sense of multiple data types
It’s great to have a single viewpoint from which to detect and analyze potential security issues, but what happens when your tools all speak a different language and report data differently? This is where many teams run into false positives and a lot of confusion.
DevOps teams are able to solve for this using AppSpider's Universal Translator, which acts as a bridge between the two key functions of DAST: discovery of exploitable vulnerabilities in an application and live simulation of attacks. The Universal Translator takes all the inputs from a web application (including formats, protocols, and development techniques), normalizes the data into a common universal language, and can then attack it with over 90 different modules.
DAST is particularly useful for DevOps teams because it not only integrates with all the tools, but also analyzes data for you and presents it in a language you can understand. This means you can quickly interpret and take action on vulnerabilities to ensure the apps you push to production are vuln-free. Even more, this can all be done dynamically so that there is zero impact on the SDLC.
3. Monitor in front of and behind the login screen: A dual approach
Web application security can be complex because most apps today have a logged out and logged in state. Vulnerabilities can exist in both, and so both must be monitored. That’s why traditional web crawling doesn’t cut it here—it can only scan websites and anything outside of the login functionality. It is not designed to get past two-factor authentication (2FA) to scan within the application itself. This is often where the most valuable data lies, and where most attackers look to exploit.
A unique capability of AppSpider is that you can integrate with Swagger or Selenium and leverage API definitions and automated test script to enhance security test coverage of apps and APIs. These two tools are commonly used in the DevOps workflow to test the functionality of an app, and they can be further leveraged for security purposes when used with AppSpider.
Let’s take the Selenium integration as an example. Just like you can run Selenium test scripts to verify website login functionality, you can also use these scripts in AppSpider to authenticate with an application, thus enhancing security test coverage to include areas behind a login screen.
Scaling your operations for a continually evolving app ecosystem
Using a DAST to accomplish all of this is good, but what happens over the years as you bring in new technologies and applications that the DAST needs to connect to? Just like your DevOps tools, your DAST must also be able to adapt to the changing needs of your team. We built AppSpider to be the most extensible modern DAST, able to adapt to the needs of current and future technologies and security requirements.
Obsolescence is the antithesis to progress, and you can’t risk your DAST becoming incompatible with a new set of tools in a few years. Especially as your application security needs grow over time, you need a solution that can not only crawl and attack very effectively on its own, but also leverage test scripts, REST API definitions, macros, and traffic recordings to ensure complete app coverage and vulnerability management.
AppSpider is a departure from standard crawling technologies with the Universal Translator, as it’s a seamless way for Security and DevOps teams to optimize security test coverage of modern web applications and ultimately find all the critical vulnerabilities before they become exposed security risks.