APPSPIDER: WEB APPLICATION SECURITY SCANNING FOR THE MODERN WORLD
Discover security holes in even the most complex applications.
Know Your Weak Points
Close the Coverage Gap with Universal Translator
Coverage is the first step to scanner accuracy. Scanners were originally built with a crawl and attack architecture, but crawling doesn't work for web services and other dynamic technologies. AppSpider can still crawl traditional name=value pair formats like HTML, but it also has a Universal Translator that can interpret the new technologies being used in today's web and mobile applications (AJAX, GWT, REST, JSON, etc.). AppSpider provides broad coverage needed for today's wide variety of web applications.
Attack with intelligence
AppSpider doesn't test known application vulnerabilities because we know today's applications are custom with unique site structures, parameter names, and responses. It creates custom attacks based on your architecture to give you the most accurate results. To more accurately simulate real world attacks, AppSpider conducts positioning and proximity form analysis to intelligently input the data that the form is expecting.
Continuously monitor your applications
Don't let unknown risks keep you up at night. AppSpider's continuous site monitoring identifies changes in your application ecosystem that inadvertently inject new vulnerabilities. It then triggers a re-scan according to configurable settings.
Stay authenticated for deep assessment
Most applications are custom and each application has its own authentication approach. Scanners must be able to recognize the authentication form, know whether the login was successful, and handle single sign-on. AppSpider is capable of authenticating on even the most complex authentication approaches as well as the following web service solutions: Oauth, HMAC, Integrated NONCE, and user defined.
Prioritize What Matters Most
Conduct deeper analysis with interactive reports
Shifting through pages and pages of application vulnerabilities in a PDF report takes too much time. AppSpider provides interactive actionable reports that behave like web pages with great organization and links for deeper analysis. Analysis is easy because findings are organized and consolidated by attack types (XSS, SQLi, etc.) and with one click, you can drill deep into a vulnerability to get more information. AppSpider's sophisticated reports reduce remediation time and streamline communication with developers.
Quickly re-play web attacks
When reviewing a vulnerability report, it helps to be able to reproduce vulnerabilities to confirm that they are exploitable or to demonstrate the vulnerability to others. AppSpider's attack replay feature allows you to reproduce individual attacks in real-time with just one click.
Categorize applications for easy reporting
Every organization is different and needs to organize their data and reports in different ways. AppSpider enables this flexibility through user-defined meta-data. The meta-data facilitates custom reporting and provides a graphical view of your security posture across all enterprise applications. You can define tags to view applications and vulnerabilities from different vantage points, including business unit, business risk/criticality, owner, location, or any other category that helps you organize your applications. In addition, you can define trending data to show vulnerability trends over time.
Improve Your Position
Manage and control application security programs
In order to improve your overall security posture, you need a high-level view of your application security program that enables you to see where things stand and if they are improving. AppSpider provides centralized control and reporting over all aspects of your program, including scan configuration, scheduling, and monitoring. Through the easy-to-use list of scans configured in the system, you can see and manage the entire list of completed scans, search by scan configuration, start time, finish time, or configuration name.
Automate virtual patching
Using innovative automated rule generation, AppSpider's defensive capabilities help security professionals with patching web application vulnerabilities almost immediately - in a matter of minutes, instead of days or weeks. Without the need to build a custom rule for a web application firewall (WAF) or intrusion prevention system (IPS) or the need to deliver a source code patch, our software allows you the time to identify the root cause of the problem and fix it in the code.
Meet compliance requirements
Keeping up with industry best practices, legal and regulatory compliance issues is no easy task. AppSpider helps your team quickly see gaps in compliance and well known best practices including: PCI, FISMA, SOX, HIPAAA, GLBA, OWASP, and more.
Integrate SDLC into your workflow
Your development team is already using build, QA, and ticketing systems. AppSpider easily integrates with these tools to improve productivity and address web application security issues before they reach your production environment. You'll be able to find security issues earlier in the development lifecycle by incorporating it into your Continuous Integration (Jenkins) process and testing through QA testing automation tools and scripts (Selenium). AppSpider is also capable of adding tickets to the most popular bug tracking systems (RSA Archer, HP Quality Center, and Atlassian's JIRA).
AppSpider Checks for:
- Apache Struts 2 Framework Checks
- Apache Struts Detection
- Arbitrary File Upload
- Autocomplete attribute
- Blind SQL (improved)
- Brute Force (Form Auth)
- Brute Force (HTTP Auth)
- Business logic abuse attacks
- Cookie attributes
- Credentials stored in clear text in a cookie
- Cross-Site Request Forgery (CSRF)
- Cross-site scripting (XSS), DOM based
- Cross-site scripting (XSS), reflected
- Cross-site tracing (XST)
- Directory Indexing
- Email Disclosure
- Forced Browsing
- Form Session Strength
- HTTP Response Splitting
- HTTP Strict Transport Security
- HTTPS Downgrade
- Information Disclosure
- Information Leakage
- Java Grinder
- OS Commanding
- Parameter Fuzzing
- Predictable Resource Location
- Privacy Disclosure
- Remote File Include (RFI)
- Reverse Proxy
- Secure and non-secure content mix
- Server Configuration
- Session Fixation
- Session Strength
- Source Code Disclosure
- SQL Injection
- SQL injection Auth Bypass
- SSL Strength
- Unvalidated Redirect
- URL rewriting
- Web Beacon
- Web Service Parameter Fuzzing
- X-Frame-Options missing HTTP header
- X-XSS-Protection missing HTTP header
- Z-Customer created attack