Last updated at Sat, 19 Aug 2017 02:42:44 GMT

In recent years, more and more applications are being built on popular new JavaScript frameworks like ReactJS and AngularJS. As is often the case with new application technologies, these frameworks have created an innovation gap for most application security scanning solutions and an acute set of challenges for those of us who focus on web application security. It is imperative that our application security testing approaches keep pace with evolving technology. When we fail to keep up, portions of the applications go untested leaving unknown risk.

Related resource: [VIDEO] Securing Single Page Applications Built on JavaScript Frameworks

So, let's look at some of the key things we need to think about when testing these modern web applications.

1. Dynamic clients of today's complex web applications. – These applications have highly dynamic clients. Applications are built on JavaScript platforms like AngularJS and ReactJS. Single Page Application (SPA) frameworks fundamentally change the browser communication that security experts have long understood. These frameworks use custom event names instead of the traditional browser events we understand (‘on click,' ‘on submit,' etc.). Evaluate whether your dynamic application security testing solution is capable of translating these custom events into the traditional browser event names we understand.


2. RESTful APIs (back-end). Today's modern applications are powered by complex back-end APIs. Most organizations are currently testing RESTful API's manually or not testing them at all. Your dynamic application security solutions should be able to automatically discover and test a RESTful API while crawling both AJAX applications and SPA. Because APIs are proliferating so rapidly, they take a long time test. Ensuring your dynamic application security solutions should enable your expert pen testers to focus on the problems that can't be automated, like Business Logic testing.

Related resource: [Whitepaper] The Top Ten Business Logic Attack Vectors

3. Interconnected applications. - As security experts, it's imperative that we understand today's interconnected world. We are seeing interconnected applications at work and at home. For example, The Yahoo homepage shows news from many sites and includes your Twitter feed. Amazon is offering up products from eBay. We are used to thinking about testing an individual application, but now we must go beyond that. Many applications have created open APIs so that other applications can connect to it, or are consuming API's of 3rd party applications. These applications are becoming increasingly interconnected and interdependent. Your DAST solution should help you address this interconnectivity by testing the API's that power them.

Dynamic application security testing solutions are evolving rapidly. We encourage you to expect more from your solution. AppSpider enables you to keep up with the changing application landscape so that you can be confident your application has been effectively tested. AppSpider goes where no scanner has gone before - to the deep and dark crevices of your modern applications. By using AppSpider for Dynamic Application Security Testing (DAST), you can keep up with application evolutions from the dynamic clients of Single Page Applications (SPAs) to the complex backend APIs. Learn more about AppSpider and how it scans Single Page Applications that are built on JavaScript frameworks.