In a recent conversation with a Rapid7 application security customer, I was reminded how much of a security practitioner’s day can be consumed by troubleshooting buggy tools and manually executing the same tasks over and over again (needlessly, may I add). As much as we’d like to think that security professionals’ time is being efficiently utilized, oftentimes inadequate tools, a lack of automation, and organizational silos impede SecOps-driven progress. As an application security vendor, we like to remind security practitioners that sometimes, just getting the basic things right can help immensely.
Enter Rapid7 Application Security
In this conversation, the customer emphasized that the biggest value-adds provided by Rapid7 application security are more sensible in nature compared to the more technologically-opaque offerings and overly-hyped innovations pushed by the security market today. (Machine learning and AI, anyone?) Keep in mind that this isn’t for their lack of experience or know-how: This user is solely responsible for the application security testing of a multi-billion dollar, global enterprise with tens of thousands of employees and hundreds of web applications.
Interested in drilling down to what this particular customer appreciated most from Rapid7’s dynamic web application security testing (DAST) offering? The list included:
- Transparency into what the scan engine is doing while executing a scan
- Incremental scan results provided in scenarios when a scan has to be stopped due to other priorities
- Detailed HTTP request and response traffic for each vulnerability finding, enabling superior validation and root cause analysis
- Attack Replay, which allows vulnerability findings to be validated directly from reporting without additional scans
Let’s explore why these features were worth noting.
AppSec as Agile as Your Environment
Given the complexity of today’s modern web applications, the automated crawling and attacking performed by DAST tools to identify vulns can take hours or even days. Surprisingly, not all DAST tools provide logging detail beyond “scan started” when executing a web app scan. The ugly truth? This means a scan could be running for 48 hours, and you could have no idea if a scanner is actually generating results or simply just hung.
Furthermore, what if that long-running scan needs to be canceled in favor of a higher-priority scan that must be executed ASAP? You would expect that any results generated up until the scan was canceled still be available, so that the interrupted scan wasn’t a total waste of time. Again, this capability isn’t always guaranteed by all DAST tools.
Application vulnerability findings should include more than just generic remediation recommendations and links to OWASP and CWE documentation; although (somewhat) useful, this context barely scratches the surface when it comes to vulnerability validation and root cause analysis. Simply providing transparency into how the scanner generated a finding—that is, the raw HTTP request sent by the scanner and the response returned by the application, are essential artifacts for determining 1. if a true vulnerability exists, and 2. the technical information needed for developers to create a source code patch. DAST tools save precious time by automating the attacks a manual pen tester would use to test an application for vulnerabilities; however, that automation should be able to provide enough transparency to allow an analyst to understand how exactly a vulnerability was identified.
Finally, Attack Replay is a powerful, time-saving feature that allows consumers of Rapid7 reports to re-send the original attack traffic generated during the scan to validate vulnerability findings and test source code patches. Our interviewed customer, being the only dedicated AppSec engineer, found this feature to be invaluable in reducing the amount of back-and-forth—and ultimately time spent on unnecessary scans—with developers as they work on security bug patches.
"Attack Replay saves me a lot of time. Developers don’t ask me nearly as often to run additional scans to test a new security bug patch—instead they can test it directly from the vulnerability report."
— Sr. IT Security Staff, Leading Hardware Manufacturer
Conversations with customers are always enlightening, and the passion of our users never fails to impress. This particular conversation shined a spotlight on how innovations in security technology can be game-changing, but it’s often the smaller, user experience-driven features that makes a vendor’s solution stand out.