Quick Cookie Notification

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.


View Cookie Policy for full details

Rapid7 Blog

Application Security  

Lessons Learned in Web Application Security from the 2016 DBIR

We spent last week hearing from experts around the globe discussing what web application security insights we have gotten from Verizon's 2016 Data Breach Investigations Report. Thank you, Verizon, and all of your partners for giving us a lot to think about! We also polled…

Social Attacks in Web App Hacking - Investigating Findings of the DBIR

This is a guest post from Shay Chen, an Information Security Researcher, Analyst, Tool Author and Speaker. The guy behind TECAPI , WAVSEP and WAFEP benchmarks.Are social attacks that much easier to use, or is it the technology gap of exploitation engines that make social…

2016 DBIR & Application Security: Let's Get Back to the Basics Folks

This is a guest post from Tom Brennan, Owner of ProactiveRISK and serving on the Global Board of Directors for the OWASP Foundation. In reading this year's Verizon Data Breach Investigations Report, one thing came to mind: we need to get back to the basics.…

3 Web App Sec-ian Takeaways From the 2016 DBIR

This year's 2016 Verizon Data Breach Report was a great read. As I spend my days exploring web application security, the report provided a lot of great insight into the space that I often frequent. Lately, I have been researching out of band and second…

The 2016 Verizon Data Breach Investigations Report (DBIR) - A Web Application Security Perspective

The 2016 Verizon Data Breach Investigations Report (DBIR) is out and everyone is poring over the report to see what new insights we can take from last year's incidents and breaches. We have not only created this post to look at some primary application security…

Modern Applications Require Modern Dynamic Application Security Testing (DAST) Solutions

Is your Dynamic Application Security Testing (DAST) solution leaving you exposed? We all know the story of the Emperor's New Clothes. A dapper Emperor is convinced by a tailor that he has the most incredible set of clothes that are only visible to the wise.…

What's In A Hostname?

Like the proverbial cat, curiosity can often get me in trouble, but often enough, curiosity helps us create better security. It seems like every time I encounter a product with a web management console, I end up feeding it data that it wasn't expecting. As…

Hacking Apps - So Easy An Infant Can Do It

Mobile app hacking is nothing new. Many people have performed different assessments and there are even courses all about it. Even so, many penetration testers may still be hesitant about performing these types of assessments, or may not do them well. Mobile application hacking is…

Top 3 Takeaways from the "Skills Training: How to Modernize your Application Security Software" Webcast

In a recent webcast, Dan Kuÿkendall, Senior Director of Application Security Products at Rapid7, gave his perspective on how security professionals should respond to applications, attacks, and attackers that are changing faster than security technology. What should you expect for your application security solutions and…

CISO in Residence Series: Security teachable moments

A CISO I know was recently asked by his parent company to log into a third party web portal to receive some important business plans and legal documents. The web portal is designed to securely upload documents by one person or team, and to be…

Mobile Application Security: Think Twice Before Placing Football Bets

[A version of this blog was originally posted on September 25, 2013]Have you heard about the vulnerability in the Yahoo! Fantasy Football app? If Knowshon Moreno's performance on Monday against the Oakland Raiders got you down, you might want to read this warning to…

3 Tips for Finding the Best Website Security Scanner

[A version of this blog was originally posted on July 16, 2013] While it takes some work to find the best website security scanner for your organization, if you follow these three simple guidelines, you'll be off to a good start. Although accurate automated application…

3 Big Trends in Application Security

[A version of this blog was originally posted on July 18, 2013] With application security it seems there is never a dull moment. Different facets of web security continue to evolve from the hackers and the hacks to the techniques we use to combat them.…

Fix Security Defects Earlier with AppSpider and Selenium Integration

[A version of this blog was originally posted on September, 24 2014] It's a well-known fact that it costs less to fix security defects earlier in the software development lifecycle than later. But because most security professionals are experts in security and less familiar with…

5 Must-Haves for Modern Application Security Scanners

Dynamic Application Security Testing (DAST) solutions have been around for over a decade, so you might think the market is static. But, that's hardly the case. Web applications and malicious hackers continue to evolve and DAST solutions need to keep pace. According to Gartner, DAST…