New InsightAppSec Features and Updates: A Look Inside

Last updated at Tue, 02 Apr 2019 19:11:07 GMT

On top of braving the cold this past winter, our team was hard at work building out many new and powerful features for InsightAppSec, our cloud-powered application security testing solution for modern web apps. Security is constantly evolving, and so, too, must the tools you use to keep pace. That’s why we continuously update products like InsightAppSec to expand coverage and streamline your appsec processes.

We’ve been bursting at the seams to share these new features with you, which include extended single page application (SPA) and complex authentication coverage from our DAST engine, an executive dashboard to help you advance your appsec program, and an out-of-the-box CI/CD integration to help automate testing throughout your SDLC. In this post, you’ll learn about all of our new features, how you can benefit from them, and how you can begin using them right away.

1. Bootstrap for multi-factor authentication

Bootstrap is the latest authentication type added to InsightAppSec, allowing you to interactively log in to a target application. Now, when an InsightAppSec scan encounters an authentication gateway, the user will be notified via email and prompted within InsightAppSec that authentication is required. Once the user provides the login page URL and credentials, the scan will proceed. If the scan encounters multiple login screens on the web application, the user will need to provide login credentials for each occurrence.

Meanwhile, the InsightAppSec Chrome plugin records and saves traffic between the browser and server to be used by the scan engine and satisfy the required authentication.

2. Email notifications

You’re busy fighting fires, training employees, and applying patches, which means your eyes aren’t always on the InsightAppSec dashboard. Because we know that staying in the know and tending to high-priority events is incredibly important to you, we’ve added email notification functionality to notify you when:

• On-premises engines are offline and cannot be scanned
• A running scan fails
• A running scan encounters a Bootstrap authentication event that requires human intervention

All of this is sent to you without requiring you to be logged in to InsightAppSec.

To take action on any of these alerts, all you need to do is click on the link in the email and you’ll be brought to the exact event you’re notified about so you can take action when issues occur. If, however, your job function doesn’t include any one of these events, you can choose to turn off email notifications to reduce distractions.

3. New SPA frameworks added

InsightAppSec supports and recognizes the most commonly used SPA frameworks leveraged in modern web applications, such as Knockout, Angular, and React. Our latest update adds support for Angular 7 (in addition to 2, 4, 5, and 6) as well as React v16 (in addition to v15).

Web application developers use SPAs to deliver complex features without having to build everything from scratch. Users don't worry about the "how" but rather how interactive the web applications are, and how easy they are to use.

While this presents advantages to all parties, it can make it challenging to find all the vulnerabilities that may exist within the page, as SPAs increase the permutations and can't be crawled the way a traditional web site can be. To keep up with modern development practices, the InsightAppSec team is constantly evaluating and adding more frameworks to ensure the tool is crawling as efficiently and thoroughly as possible. Additional SPA support will be announced later in 2019.

4. Jenkins integration

Available from the Jenkins plugin store, this new plugin provides an easy way to integrate your build process with the InsightAppSec REST API. Using this plugin, Jenkins can automatically run a scan against your pre-production web application within the CI/CD pipeline and make a decision about the pass/fail status of the build based on the scan result.

Scans are initiated automatically as soon as builds are ready, ensuring you never miss a scan or issue before it goes into production. From there, Jenkins passes or fails builds depending on certain rules, such as the maximum number of vulnerabilities found or thresholds of vulnerability severity. This integration adds an important step to mitigating vulnerabilities before they get to production systems (where they’re much faster and less costly to fix).

5. A new executive dashboard: AppSec Home

AppSec Home is your new go-to dashboard to view key statistics and metrics regarding the security of your applications. Viewable to your entire team, it provides you with the appsec data you want to see, trends over time, and actions you can take to improve your security posture. All of this is also rolled up in a management summary, making it easy to digest for even the busiest executive and easily shareable at a moment’s notice.

In the coming months, we will continue to release new dashboard features that will allow you to further customize your view to focus on what metrics matter to you.

6. GDPR reports

Our new GDPR report is an informational report generated from a selected scan to show whether certain vulnerabilities might jeopardize your GDPR compliance. The report calls out specific areas where applications may be attacked, such as password control and network connection control, so you can take action on them. Any vulnerabilities found that relate to these headings are included and prioritized by severity level in order to facilitate remediation.

It’s worth noting that this report is not to be used as an indication of GDPR compliance, but instead, an advisory report that can be downloaded into a readable PDF or HTML format for you and your team to review periodically.

To Q2 and beyond!

Well, that’s a wrap for our Q1 updates for InsightAppSec! Our team is already hard at work on some new bells and whistles coming to InsightAppSec later this year, which we cannot wait to share with you. In the meantime, if you are an existing InsightAppSec customer, log in here to begin using (and loving) these features. And, if you’re not yet an InsightAppSec customer, sign up for your free 30-day trial!