Posts by Dan Kuÿkendall

4 min InsightAppSec

How InsightAppSec Can Help You Improve Your Approach to Application Security

In this post, we’ll explore why modern apps require modern testing and how our DAST tool, InsightAppSec, is leading the way with the most sought-after needs for application security teams.

7 min

Web Application Security Scanning and the Art of Automation

A version of this blog was originally posted on Nov. 5, 2012. Few people fully appreciate the difficulty in creating a web application security scanner [] that can actually work well against most sites. In addition, there is much debate about how much application security testing can be automated and how much needs be done by human hands. Let's look at a recent conversation [] among some industry exp

1 min AppSpider

Mobile Application Security: Think Twice Before Placing Football Bets

A version of this blog was originally posted on September 25, 2013. Have you heard about the vulnerability in the Yahoo! Fantasy Football app [] ? If Knowshon Moreno's [] performance on Monday against the Oakland Raiders got you down, you might want to read this warning to fantasy football players: Don't p

2 min Application Security

3 Tips for Finding the Best Website Security Scanner

A version of this blog was originally posted on July 16, 2013 While it takes some work to find the best website security scanner for your organization, if you follow these three simple guidelines, you'll be off to a good start. Although accurate automated application security testing has been common practice for many organizations for over 10 years, it remains a very difficult and complex process. There are automation techniques that ensure a scan is as automated as possible, reduces scan time

2 min AppSpider

3 Big Trends in Application Security

A version of this blog was originally posted on July 18, 2013 With application security it seems there is never a dull moment. Different facets of web security continue to evolve from the hackers and the hacks to the techniques we use to combat them. Here are some of the trends we see emerging and maturing as best practices. Let us know if you are implementing these and how it's going! 1. Continuous Scanning There's a lot of buzz around the concept of continuous scanning, but in the world of

2 min Application Security

Fix Security Defects Earlier with AppSpider and Selenium Integration

[A version of this blog was originally posted on September, 24 2014] It's a well-known fact that it costs less to fix security defects [] earlier in the software development lifecycle than later. But because most security professionals are experts in security and less familiar with applications, and QA teams are experts in applications and less familiar with security, integrating security testing earlier in the software development lifecycle can be a cha

3 min AppSpider

5 Must-Haves for Modern Application Security Scanners

Dynamic Application Security Testing (DAST) solutions have been around for over a decade, so you might think the market is static. But, that's hardly the case. Web applications and malicious hackers continue to evolve and DAST solutions need to keep pace. According to Gartner, DAST technology analyzes applications in their running state (in real or “almost” real life) during operation or testing phases. It simulates attacks against a Web application, analyzes application reactions and, thus, det

2 min AppSpider

Top 10 Business Logic Attack Vectors

I thought I'd take a moment to dig a little deeper on our whitepaper titled “Top 10 Business Logic Attack Vectors." Why did we write this paper? 1. Business logic vulnerabilities are not new, but these vulnerabilities are common, dangerous and are too often untested. 2. Security experts need to know that these must be tested manually and must not be overlooked. It is imperative to complement automated testing process with a human discovery of security risks that can be exploited

4 min AppSpider

7 Deadly Sins: Unlock the Gates of Mobile Hacking Heaven

I've spent the past year hacking mobile applications in an effort to uncover the most common security mistakes made during development. I found that most of the problems are related to session management – the process of authenticating the user and ensuring an attacker isn't impersonating a user or eavesdropping on the service. In most cases, a vulnerability in any single area isn't a significant liability. However, the more mistakes that are made, the easier it is to attack the app. Here is wh

3 min AppSpider

Security Testing Complex Workflows, Not So Complex Anymore

Conducting web application security testing []for complex workflows can be a real pain. In order to find vulnerabilities, valid test data must be passed through exactly as the workflow prescribes. Most web application security testing scanners aren't up for the job, so security testers must supplement their scans with manual testing. If your organization has just a couple applications that aren't changing, then manual testing

3 min AppSpider

7 Ways to Improve the Accuracy of your Application Security Tests

For more than 10 years, application security testing [] has been a common practice to identify and remediate vulnerabilities in their web applications. While, it's difficult to figure out the best web security software for your organization, there are seven key techniques that not only increase accuracy of testing in most applications, but also enable teams to leverage expert resources to test necessary areas by hand. IT secur

4 min AppSpider

Modernize Your Application Security Scanning in Four Easy Steps

You've built modern mobile and rich internet applications (RIAs) that are sure to improve your business' next major revenue stream. Conscious of security, you've ensured that the native application authenticates to the server, and you've run the app through a web application security scanner to identify weaknesses in the code. Those vulnerabilities have been remediated, and now you're ready to go live. Not so fast. Despite your best intentions, chances are good your mobile and rich internet ap

2 min AppSpider

7 Things About Dan Kuykendall

Hello! I'm Dan Kuykendall. Since I'm new to the Rapid7 family, I thought I'd take a moment to introduce myself with 7 factoids about me: 1. I'm not a geek, or a nerd—but a neek: Some people might think of me as a nerd, but I proudly prefer to think of myself as part geek and part nerd, so maybe I'm a neek. For all of you doubters out there, there is a difference - learn more about the differences between nerds and geeks with this awesome Infographic. Fellow neeks, I know you kn

1 min AppSpider

NT OBJECTives Acquired by Rapid7!

I'm excited to connect with you through this first blog post as part of the Rapid7 team. Rapid7 has just acquired the company I co-founded, NT OBJECTives (NTO), an application security company specializing in dynamic application security testing software (DAST). Our NTO team is eager to be part of Rapid7 and to continue to innovate in Application Security as part of Rapid7's Thread Exposure Management solutions. So, a quick introduction: I'm Dan Kuykendall. I have been with NT OBJECTives for ov