Posts tagged Application Security

3 min Application Security

What’s New in InsightAppSec and tCell: Q1 2021 in Review

Rapid7 will continue to support customers through every challenge, with new updates and avenues to help you get the most out of your application security program.
2 min Application Security

Rapid7 Announces Release of New tCell Amazon CloudFront Agent

We are excited to announce tCell’s CloudFront agent, which leverages Lambda@Edge to help push security closer to the “edge” without requiring any code changes to your applications.
4 min Vulnerability Management

Building a Holistic VRM Strategy That Includes the Web Application Layer

Co-sponsored by Forrester, a recent Rapid7 webcast expounds upon the topics discussed in this blog post.
2 min Application Security

Securing Your Web App, One Robot at a Time

Modern web apps are two things: complex, and under persistent attack.

4 min InsightAppSec

What’s New in InsightAppSec and tCell: Q4 2020 in Review

In this blog, we'll recap some of the new and exciting features we have released as a part of our application security portfolio.
4 min DevSecOps

Shifting Security Right: How Cloud-Based SecOps Can Speed Processes While Maintaining Integrity

Let’s take a look at some key insights on current industry efforts to more closely integrate DevOps and SecOps—and how you can plot your best path forward.
2 min InsightVM

New All Apps and Asset Report Combines Power of InsightVM and InsightAppSec for Boosted Visibility

When speaking with customers, we continue to hear that they are looking for more visibility into their vulnerability risk management activities.
3 min Vulnerability Management

Defining Vulnerability Risk Management (and How to Build a Modern VRM Program)

Once upon a time (just a handful of years ago), vulnerability management [https://www.rapid7.com/solutions/vulnerability-management/] programs focused solely on servers, running quarterly scans that targeted only critical systems. But that was then, and you can’t afford such a limited view in the now. Truth is, vulnerability exploitation now happens indiscriminately across the modern attack surface—from local and remote endpoints to on-prem and cloud infrastructure to web applications and con
1 min tCell

tCell by Rapid7 Now Available for the European Region

Today, we are excited to announce tCell by Rapid7, our next-gen WAF and RASP solution, is now available in the Rapid7 Insight cloud’s European region.

9 min Application Security

Overview of Content Security Policies (CSPs) on the Web

A Content Security Policy is a protocol that allows a site owner to control what resources are loaded on a web page by the browser, and how those resources may be loaded.
2 min Application Security

What’s New in InsightAppSec and tCell: Q3 2020 in Review

This blog recaps some of the latest and greatest ways to leverage Rapid7’s appsec technologies to get time back in your days.
2 min Application Security

Rapid7 and Snyk Are on the Run(time) with Expanded SCA Capabilities

Earlier this year, Rapid7 and Snyk partnered together with the goal of securing cloud-native apps across the software development lifecycle (SDLC).
3 min tCell

Rapid7 tCell now supports Microsoft Agents on 32-Bit

We’re excited to share that over the past few weeks, we’ve released support for 32-bit applications for our .NET, .NET Core, and IIS agents.
10 min Application Security

Unlocking the Power of Macro Authentication in Application Security: Part Three

This is the third and final installment of our series "Unlocking the Power of Macro Authentication in Application Security."

3 min Application Security

Application Security Takes Center Stage in this Year’s Verizon Data Breach Investigations Report

In recent years, web applications have become the biggest target for attacks, as they’re the easiest way for hackers to gain access to valuable information.
2 min InsightAppSec

InsightAppSec Release Roundup: What’s New and Updated

In this blog, we recap the latest and greatest ways to work smarter and more efficiently in InsightAppSec, so you can get some much-deserved time back.
13 min DAST

Unlocking the Power of Macro Authentication in Application Security: Part Two

In this post, we will review how to understand these error messages and what steps to take to get our authentication macro working.
7 min InsightAppSec

Unlocking the Power of Macro Authentication: Part One

In this blog post, we will review how various components of a macro work and what to keep in mind when recording a macro for authentication.

4 min Application Security

Best Practices for Securing e-Commerce Applications

Learn why e-commerce security is becoming more necessary than ever before, and steps to take to ensure applications are safe from a vulnerability or data breach.
2 min Application Security

Rapid7’s Full Stack Vulnerability Risk Management Portfolio Recognized for Application Security Capabilities

Recently, Rapid7 was the only full stack vulnerability risk management vendor to be recognized for Application Security Testing by an industry-leading third-party research firm.
5 min InsightAppSec

Automating Multi-Factor Authentication: Time-Based One-Time Passwords

In this blog, we discuss everything you need to know about time-based one-time password (TOTP) authentication.

3 min Application Security

Securing Cloud-Native Apps Requires Partnership

To further our commitment to extend the influence of security teams into development, Rapid7 is excited to announce our partnership with Snyk.
2 min InsightAppSec

Dig Deeper in InsightAppSec with New Custom Dashboards Feature

To give customers more control over what types of data appear within InsightAppSec, we are pleased to announce our new custom dashboards feature.

4 min InsightAppSec

InsightVM + InsightAppSec: A Love Story

Today, we take a moment to appreciate how two of our products, InsightVM and InsightAppSec, work together to secure the entire tech stack for our customers.
3 min PCI

How PCI Compliance Helps Keep Your App’s Credit Card Data Safe

In this blog, we break-down why you and your organization should be committed to the Payment Card Industry Data Security Standard (PCI DSS, or PCI).
4 min InsightAppSec

Automating Application Security Processes with the InsightAppSec API

In this blog, we discuss how task automation can free up extra time for development and security teams in the web application life cycle.

6 min InsightAppSec

Automating Application Security Testing Within Your Atlassian Bamboo Pipelines

Rapid7 is excited to announce a new plugin for Atlassian Bamboo with the goal of integrating InsightAppSec into the software development life cycle (SDLC).
3 min Application Security

The Most Commonly Exploited Web Application Vulnerabilities in a Production Environment

In this blog, we discuss the most exploited web application vulnerabilities, and how you can avoid them in your development process.
3 min Application Security

Hidden Helpers: Security-Focused HTTP Headers to Protect Against Vulnerabilities

In our second installment of the 'Hidden Helpers' series, we discuss security-focused HTTP headers and how they can protect against vulnerabilities.

3 min InsightAppSec

How Our New Jenkins Integration for InsightAppSec Enables DevSecOps Collaboration

Rapid7 is excited to announce the release of an integration to integrate InsightAppSec within Jenkins to improve release cycles and reduce vulnerabilities.
5 min InsightAppSec

New Azure DevOps Pipelines Extension for InsightAppSec Helps Improve Web App Security

Rapid7 is excited to announce the release of a new extension to incorporate InsightAppSec within Azure DevOps Pipelines.
3 min Application Security

From Security Police to Security Advocates: How to Create a Champion Program

In our most recent episode of Security Nation, we had the pleasure of speaking with Mark Geeslin about his work creating an internal Security Mavens program at Asurion.

3 min Application Security

Application Security Testing + Monitoring with DAST and RASP: A Two-Pronged Approach

For full coverage of your apps, you’ll require multiple application security solutions, such as DAST and RASP.

4 min Application Security

You Can Have It Both Ways with AppSec: Security and Speed

Security and DevOps teams seemingly have to choose between speed and security. We think there's a better way.
3 min Application Security

RASP 101: What Is Runtime Application Self-Protection?

If your organization isn't using a runtime application self-protection (RASP) tool to protect your applications, here's what you need to know.

3 min Application Security

Application Security 101: The Importance of DevSecOps in AppSec

In this blog, we will share some insightful tips on all things application security and DevSecOps.

4 min Application Security

How to Prevent Cross-Site Scripting (XSS) Attacks

Cross-site scripting (XSS) isn’t new, but its impact and visibility are both growing. Here’s what you need to know to protect them from XSS attacks.
4 min tCell

How to Protect the File System from Your App with WAFs and RASP

The new Local Files protection in tCell joins other RASP protections to defend against serious compromises.

6 min Application Security

App-a-Bet Soup: Should You Use a SAST, DAST, or RASP Application Security Tool?

In this blog, we discuss all things web applications and how to select the right application security solution to keep them safe from attack.

1 min Application Security

Rapid7 Announces an Early Access Program for tCell by Rapid7

We are excited to announce that we are launching the early access program for tCell by Rapid7.

4 min Application Security

Beyond Static Rules: WAF vs. RASP for Better Web Application Security

In this blog post, we’ll discuss the differences between traditional web application firewalls (WAFs) and runtime application self-protection (RASP).
5 min Podcast

Great Barrier Grief: How to Break Through Bottlenecks with Automated AppSec

In our brand-new podcast, Security Nation, Zate Berg of Indeed.com explains how he avoided making his team an engineering bottleneck through automated appsec.

7 min Application Security

Hidden Helpers: Security-Focused HTTP Headers

This blog includes real-world scenarios in which attackers can manipulate unsecured HTTP headers and how to prevent your organization from falling victim.

4 min InsightAppSec

How InsightAppSec Can Help You Improve Your Approach to Application Security

In this post, we’ll explore why modern apps require modern testing and how our DAST tool, InsightAppSec, is leading the way with the most sought-after needs for application security teams.

5 min Application Security

How to Choose the Right Application Security Tool for Your Organization

In this post, we’re taking a look at the various application security testing technologies and how to determine which is best for your organization.
5 min Application Security

5 Considerations When Creating an Application Security Program

In this blog, we explain how to address application security within your organization and how this translates into building better code.

5 min InsightAppSec

New InsightAppSec Features and Updates: A Look Inside

In this post, you’ll learn about all of our new features of InsightAppSec, how you can benefit from them, and how you can begin using them right away.
3 min Application Security

Single-Page Applications: The Journey So Far

While modern web application technology has made apps more useful, it's also made them harder to secure.
3 min Incident Detection

Rapid7 Leads All 'Strong Performers' in 2018 Forrester Wave for Emerging MSSPs

We’re proud to be recognized in the Forrester Wave as the leader in the “Strong Performer” category and to score second highest overall current offering for our Managed Security Services.
1 min Application Security

Rapid7 Acquires Leading Web Application Security Provider, tCell

Today, Rapid7 announced the acquisition of tCell, a leading provider of web application threat defense and monitoring. We are so excited to have tCell join the Rapid7 family!

4 min Application Security

How to Defend Against Magecart Using CSP

In this blog, we explain how you can defend against Magecart credit card skimming attacks by using HTTP's Content Security Policy.

5 min InsightAppSec

New Features: Rapid7 Launches Public API For InsightAppSec

Rapid7 is pleased to announce the newest addition to your application security toolkit on the Rapid7 Insight platform: the public API in our DAST solution, InsightAppSec.
2 min Application Security

The Newegg Breach: PCI Means Nothing to Magecart

Both the British Airways and Newegg breaches occurred at sites that followed data security rules but were not protected against attacks like Magecart.

2 min Application Security

The British Airways Breach: PCI is Not Enough

Magecart's techniques are sophisticated and worth understanding in detail, especially because they point out a major gap that occurs even with perfect PCI compliance.
3 min Application Security

In Our Customers’ Words: Why Mastering Application Security Basics Matters

In a recent conversation with a Rapid7 application security customer, I was reminded how much of a security practitioner’s day can be consumed by troubleshooting buggy tools and manually executing the same tasks over and over again (needlessly, may I add). As much as we’d like to think that security professionals’ time is being efficiently utilized, oftentimes inadequate tools, a lack of automation, and organizational silos impede SecOps-driven [https://www.rapid7.com/solutions/secops/] progress
2 min Application Security

New InsightAppSec Releases: Compliance Reports and the AppSec Toolkit

Things are always brewing in Rapid7 product development. Today, we’re excited to announce several exciting new features in InsightAppSec, our cloud-powered application security testing solution for modern web apps [https://www.rapid7.com/products/insightappsec/]. These include: * Custom reports for PCI, HIPAA, SOX, and OWASP 2017 compliance requirements * PDF report generation * The Rapid7 AppSec Toolkit * Macro Recorder * Traffic Viewer * RegEx Builder * Swagger/Rest API Utilit
4 min Application Security

How DevOps Can Use Quality Gates for Security Checks

Your team has been working at all hours to put the final touches on code for a new big feature release. All the specs are in, the feature works as expected, and the code is pushed to production. A few hours later, the daily security scan runs and the alerts start piling in. What went wrong? And what do you do now? Typically when this happens, it means rolling back the entire deployment, retroactively fixing the bugs and vulnerabilities in the code, and a week or two later, re-deploying. If you’
4 min Application Security

Diving Deep and Finding Vulnerabilities in Modern Web Applications

As more and more companies shift the responsibility of security earlier [https://information.rapid7.com/shifting-left-sdlc.html] in the software development lifecycle (SDLC), DevOps teams are being tasked with detecting vulnerabilities within their applications. Already scrambling to keep up with the terminology, processes, and technologies of modern-day security, DevOps teams also have to contend with the dynamic complexities of securing web apps [https://www.rapid7.com/fundamentals/web-applica
3 min Application Security

The Jet Age of WAF: Application Awareness

For the final installment in our history of web security, it's time to bring the story in to the present. The problem with bronze-age techniques,aka the stateful waf [/stateful-waf-aka-the-bronze-age], is that they put a security engine in front of your application that needs to build a model of what the application does. Your ability to build effective security is directly related to the accuracy of the application model. As long as the model accurately predicts the application's behavior, ev
2 min GDPR

Securing Personal Information in Web Applications for GDPR

The General Data Protection Regulation (GDPR) [https://www.rapid7.com/solutions/compliance/gdpr/], is just around the corner: it comes into effect on May 25, 2018. If you feel a refresher on this far-reaching privacy law is in order, we’ve got a lot of great content [/tag/gdpr/] to help you and your organization get ready. Now, how do most organizations collect personal information from users these days? Web applications, of course! And as we know [https://www.youtube.com/watch?v=B6Dzc7_3w-k],

7 min Application Security

Getting your Spidey on with Mobile Apps

As web applications continue to proliferate in the attack surface and more people make protecting them a priority, there is also a shift in the definition of a “web application,” and how we understand their potential vulnerabilities [https://www.rapid7.com/fundamentals/web-application-vulnerabilities/]. A perfect illustration? OWASP finally incorporating APIs in their Top Ten. While this is a good start, we as a community need to continue to push the envelope on how we look at web application s
4 min Application Security

3 Ways to Accelerate Web App Security Testing

It used to be that web application security testing [https://www.rapid7.com/solutions/application-security/] was the job of just the security team. Today, it is becoming a much more integrative function, especially for organizations who have adopted DevOps [/2015/03/13/getting-started-with-devops/]. Development cycles have become shorter and features are released more frequently for companies to stay competitive. Trouble is, with shorter development cycles, security needs a way to keep up. After
2 min InsightAppSec

How to Scan Your Own Application with the InsightAppSec Free Trial

We think this is pretty sweet news. You asked, we built it—now you can scan one of your own applications with an InsightAppSec trial! But before you start scanning your own application with the InsightAppSec free trial [https://www.rapid7.com/try/insightappsec], you’ll need to validate your application’s domain. This requires adding a custom-generated meta tag to your application’s root path. Let’s get started. When adding your app to the InsightAppSec free trial, you’ll be given an option to
2 min InsightAppSec

Making the Dream Work: Teaming with Dev for Safer Production Apps

So you’ve read the reports outlining how important it is for developers and security teams to work together to build web applications quickly and securely [https://information.rapid7.com/sans-state-of-application-security-2017-report.html] , you’ve scoured the web and have researched the importance of building a web application program at your organization [https://www.rapid7.com/solutions/application-security/], perhaps even watched some videos talking about the evolution of web applications an
3 min InsightAppSec

3 Questions to Ask When Prioritizing Web Application Vulnerabilities

Dynamic application security testing (DAST) often results in a constantly evolving list of security vulnerabilities. When scanning a web application [https://www.rapid7.com/fundamentals/web-application-security/] in production or in an active testing environment, issues can crop up as quickly as changes happen within the app. And when exposed to the internet itself, there are many more ways in which security vulnerabilities [https://www.rapid7.com/fundamentals/vulnerabilities-exploits-threats/]

4 min InsightAppSec

The 4 Big Differences Between Network Security and Web Application Security

Tomato, tomato, potato, potato, network security and web application security [https://www.rapid7.com/solutions/application-security/]. Two things that may seem similar, they are actually quite different. Network security (also known as vulnerability assessment or vulnerability management [https://www.rapid7.com/solutions/vulnerability-management/]) has been around for quite some time and is something most security practitioners today know well. Web application security, however, is still not wi
4 min Application Security

Fast and Secure SDLC: 4 Barriers to Tackle for Better Web Application Security

It’s been months in the making. It promises to generate new revenue for the business. And there’s one team that hasn’t seen it yet. We’re talking about your shiny new web application. Back in the day, it used to be that development would create an application, throw it over the wall to security to review, and security would return back a laundry list of issues that needed to be fixed before it could be pushed to production. Or, perhaps worse, apps are reviewed only after they are pushed to produ
2 min Application Security

The Magic Behind Rapid7 Managed Application Security Services

When I was younger, one of my favorite gifts was a magic kit. My dad did magic tricks with cards and rope, and whenever I asked how he did it, he’d say, “A magician never tells his secrets.” Part of why I loved that gift so much is I got to be the magician—and I got a glimpse of the secrets. Whenever I spend time with the Managed Application Security team at Rapid7, I feel like I did when I was younger: excited to learn about how the magic works. Here are some of the secrets I’ve learned. Appl
3 min InsightAppSec

InsightAppSec Feature Highlights: On-Premise Engines, JIRA Integration, and More

Powerful Yet Simple DAST Scanning Gets Even Better InsightAppSec [https://www.rapid7.com/products/insightappsec/], Rapid7’s cloud-powered web application security testing solution [https://www.rapid7.com/solutions/application-security/], has added three powerful new features: * On-premise scan engines * JIRA integration * Scan Activity view Test Your Internal Applications and Reduce Your Risk Web application security testing [https://www.rapid7.com/fundamentals/web-application-security-test
2 min Application Security

Takeaways from 2017 SANS State of Application Security Survey

The training and research organization SANS recently released their 2017 State of Application Security survey results [https://information.rapid7.com/sans-state-of-application-security-2017-report.html] . The new report proves that now, more than ever, organizations need to invest in solutions that automate application security testing [https://www.rapid7.com/solutions/application-security/] in order to reap benefits like: * Identifying security vulnerabilities earlier in the development cycle
2 min IoT

IoT Mobile Application Credential Encryption

Rapid7 IoT Research Lead Deral Heiland offers several of his takeaways from testing IoT mobile applications.
3 min AppSpider

What's New in AppSpider Pro 7.0?

In the latest release of AppSpider Pro [https://www.rapid7.com/products/appspider/] version 7.0 you will find some great new features which will improve the crawling, attack and overall usability of the product. Below are a few of the key new enhancements you will find in the release. Chrome/WebKit Integration With the introduction of the Chrome/WebKit browser, AppSpider Pro now supports both Chrome and Internet Explorer as default browsers. These integrated browsers facilitate AppSpider's craw
4 min Application Security

What Is User Enumeration?

User enumeration is when a malicious actor can use brute-force to either guess or confirm valid users in a system.

3 min Application Security

R7-2017-02: Hyundai Blue Link Potential Info Disclosure (FIXED)

Summary Due to a reliance on cleartext communications and the use of a hard-coded decryption password, two outdated versions of Hyundai Blue Link application software, 3.9.4 and 3.9.5 potentially expose sensitive information about registered users and their vehicles, including application usernames, passwords, and PINs via a log transmission feature. This feature was introduced in version 3.9.4 on December 8, 2016, and removed by Hyundai on March 6, 2017 with the release of version 3.9.6. Affec
1 min Application Security

Apache Struts Vulnerability (CVE-2017-5638) Protection: Scanning with Nexpose

On March 9th, 2017 we highlighted the availability of a vulnerability check in Nexpose for CVE-2017-5638 [https://rapid7.com/db/modules/exploit/multi/http/struts2_content_type_ognl] – see the full blog post describing the Apache Struts vulnerability here [/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild]. This check would be performed against the root URI of any HTTP/S endpoints discovered during a scan. On March 10th, 2017 we added an additional check that would work in conjunctio
2 min Application Security

Bug, Not Alert: How Application Security Must Use Different Words

"Words matter” is something that comes out of my mouth nearly each day. At work it matters how we communicate with each other and the words we use might be the difference between collaboration or confrontation. The same happens with the security world, especially when we communicate with folks in IT or within the devops methodology. Last week this became highly apparent sitting with folks attending OWASP's annual AppSec USA [https://2016.appsecusa.org/], where they discussed the difference betwe
4 min Javascript

AppSpider application security scanning solution deepens support for Single Page Applications - ReactJS

Today, Rapid7 is pleased to announce an AppSpider [https://www.rapid7.com/products/appspider/] (application security scanning) update that includes enhanced support for JavaScript Single Page Applications (SPAs) built with ReactJS. This release is significant because SPAs are proliferating rapidly and increasingly creating challenges for security teams. Some of the key challenges with securing SPA's are: 1. Diverse frameworks - The diversity and number of JavaScript frameworks contributes

7 min DevOps

Honing Your Application Security Chops on DevSecOps

Integrating Application Security with Rapid Delivery Any development shop worth its salt has been honing their chops on DevOps tools and technologies lately, either sharpening an already practiced skill set or brushing up on new tips, tricks, and best practices. In this blog, we'll examine how the rise of DevOps and DevSecOps have helped to speed application development while simultaneously enabling teams to embed application security earlier into the software development lifecycle in automatic

2 min AppSpider

Validate Web Application Security Vulnerabilities with AppSpider's New Chrome Plug-In

AppSpider's Interactive Reports Go Chrome We are thrilled to announce a significant reporting enhancement to AppSpider, Rapid7's dynamic application security scanner [https://www.rapid7.com/products/appspider/]. AppSpider now has a Chrome Plug-in that enables users to open any report in Chrome and be able to use the real-time vulnerability validation feature without the need for Java or having to zip up the folder and send it off. This makes reporting and troubleshooting even easier! Enabling
3 min AppSpider

RESTful Web Services: Security Testing Made Easy (Finally)

AppSpider's got even more Swagger now! As you may remember, we first launched improved RESTful web services security testing [/2015/12/17/appspider-s-got-swagger-the-first-end-to-end-security-testing-for-rest-apis] last year. Since that time, you have been able to test the REST APIs that have a Swagger definition file, automatically without capturing proxy traffic. Now, we have expanded upon that functionality so that AppSpider can automatically discover Swagger definition files as part of the
3 min Application Security

Lessons Learned in Web Application Security from the 2016 DBIR

We spent last week hearing from experts around the globe discussing what web application security insights we have gotten from Verizon's 2016 Data Breach Investigations Report. Thank you, Verizon, and all of your partners for giving us a lot to think about! We also polled our robust Rapid7 Community asking them what they have learned from the 2016 DBIR. We wanted to share some of their comments as well: Quick Insights from the Rapid7 Community > "I find that the Verizon Data Breach Investigati
2 min Exploits

Social Attacks in Web App Hacking - Investigating Findings of the DBIR

This is a guest post from Shay Chen [https://twitter.com/sectooladdict], an Information Security Researcher, Analyst, Tool Author and Speaker. The guy behind TECAPI [http://tecapi.com/public/relative-vulnerability-rating-gui.jsp] , WAVSEP [https://github.com/sectooladdict/wavsep] and WAFEP [https://sourceforge.net/projects/wafep/] benchmarks. Are social attacks that much easier to use, or is it the technology gap of exploitation engines that make social attacks more appealing? While reading t
3 min AppSpider

2016 DBIR & Application Security: Let's Get Back to the Basics Folks

This is a guest post from Tom Brennan [https://www.linkedin.com/in/tombrennan], Owner of ProactiveRISK [http://www.proactiverisk.com/] and serving on the Global Board of Directors for the OWASP Foundation. [http://www.owasp.org/] In reading this year's Verizon Data Breach Investigations Report, one thing came to mind: we need to get back to the basics. Here are my takeaways from the DBIR. 1. Remain Vigilant Recently, data relating to 1.5 million customers of Verizon Enterprise [http://krebsons
3 min Application Security

3 Web App Sec-ian Takeaways From the 2016 DBIR

This year's 2016 Verizon Data Breach Report [/2016/05/02/web-application-security-insights-from-the-2016-verizon-dbir] was a great read. As I spend my days exploring web application security, the report provided a lot of great insight into the space that I often frequent. Lately, I have been researching out of band and second order vulnerabilities as well as how Single Page Applications are affecting application security programs.  The following three takeaways are my gut reaction thoughts on th
2 min Verizon DBIR

The 2016 Verizon Data Breach Investigations Report (DBIR) - A Web Application Security Perspective

The 2016 Verizon Data Breach Investigations Report [http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/] (DBIR) is out and everyone is poring over the report to see what new insights we can take from last year's incidents and breaches. We have not only created this post to look at some primary application security takeaways, but we also have gathered guest posts from industry experts. Keep checking back this week to hear from people living at the front lines of web application secur
3 min AppSpider

Modern Applications Require Modern Dynamic Application Security Testing (DAST) Solutions

Is your Dynamic Application Security Testing (DAST) solution leaving you exposed? We all know the story of the Emperor's New Clothes. A dapper Emperor is convinced by a tailor that he has the most incredible set of clothes that are only visible to the wise. The emperor purchases them, but cannot see them because it is just a ruse. There are no clothes. Unwilling to admit that he doesn't see the clothes, he wanders out in public in front of all of his subjects, proclaiming the clothes' beauty unt
3 min IoT

What's In A Hostname?

Like the proverbial cat, curiosity can often get me in trouble, but often enough, curiosity helps us create better security. It seems like every time I encounter a product with a web management console, I end up feeding it data that it wasn't expecting. As an example, while configuring a wireless bridge that had a discovery function that would identify and list all Wi-Fi devices in the radio range, I thought: "I wonder what would happen if I broadcast a service set identifier (SSID) [https://en
5 min Application Security

Hacking Apps - So Easy An Infant Can Do It

Mobile app hacking is nothing new. Many people have performed different assessments and there are even courses all about it. Even so, many penetration testers may still be hesitant about performing these types of assessments, or may not do them well. Mobile application hacking is much like other forms of hacking. You can't get really good unless you regularly practice. So how can we get experience hacking mobile applications? Well, with over 1.5 million apps in the Google Play store and the Appl
1 min Application Security

Top 3 Takeaways from the "Skills Training: How to Modernize your Application Security Software" Webcast

In a recent webcast, Dan Kuÿkendall [/author/dan-kuykendall/], Senior Director of Application Security Products at Rapid7, gave his perspective on how security professionals should respond to applications, attacks, and attackers that are changing faster than security technology. What should you expect for your application security solutions and what are some of the strategies you can use to effectively update your program? Read on for the top takeaways from the webcast “Skills Training: How to M
3 min Application Security

CISO in Residence Series: Security teachable moments

A CISO I know was recently asked by his parent company to log into a third party web portal to receive some important business plans and legal documents. The web portal is designed to securely upload documents by one person or team, and to be received by another. The CISO noted a few things. There were questions about just how “secure” this web portal was. It didn't seem to use end-to-end encryption. And it wasn't clear how enrollment/authentication worked. But what really caught his eye is tha
1 min AppSpider

Mobile Application Security: Think Twice Before Placing Football Bets

A version of this blog was originally posted on September 25, 2013. Have you heard about the vulnerability in the Yahoo! Fantasy Football app [https://threatpost.com/yahoo-fantasy-football-app-vulnerable-update-available/102180] ? If Knowshon Moreno's [http://www.sbnation.com/fantasy/2013/9/24/4764778/knowshon-moreno-fantasy-football-broncos-vs-raiders-recap] performance on Monday against the Oakland Raiders got you down, you might want to read this warning to fantasy football players: Don't p
2 min Application Security

3 Tips for Finding the Best Website Security Scanner

A version of this blog was originally posted on July 16, 2013 While it takes some work to find the best website security scanner for your organization, if you follow these three simple guidelines, you'll be off to a good start. Although accurate automated application security testing has been common practice for many organizations for over 10 years, it remains a very difficult and complex process. There are automation techniques that ensure a scan is as automated as possible, reduces scan time
2 min AppSpider

3 Big Trends in Application Security

A version of this blog was originally posted on July 18, 2013 With application security it seems there is never a dull moment. Different facets of web security continue to evolve from the hackers and the hacks to the techniques we use to combat them. Here are some of the trends we see emerging and maturing as best practices. Let us know if you are implementing these and how it's going! 1. Continuous Scanning There's a lot of buzz around the concept of continuous scanning, but in the world of

2 min Application Security

Fix Security Defects Earlier with AppSpider and Selenium Integration

[A version of this blog was originally posted on September, 24 2014] It's a well-known fact that it costs less to fix security defects [http://www.rapid7.com/products/appspider/] earlier in the software development lifecycle than later. But because most security professionals are experts in security and less familiar with applications, and QA teams are experts in applications and less familiar with security, integrating security testing earlier in the software development lifecycle can be a cha
3 min AppSpider

5 Must-Haves for Modern Application Security Scanners

Dynamic Application Security Testing (DAST) solutions have been around for over a decade, so you might think the market is static. But, that's hardly the case. Web applications and malicious hackers continue to evolve and DAST solutions need to keep pace. According to Gartner, DAST technology analyzes applications in their running state (in real or “almost” real life) during operation or testing phases. It simulates attacks against a Web application, analyzes application reactions and, thus, det
2 min AppSpider

Top 10 Business Logic Attack Vectors

I thought I'd take a moment to dig a little deeper on our whitepaper titled “Top 10 Business Logic Attack Vectors." Why did we write this paper? 1. Business logic vulnerabilities are not new, but these vulnerabilities are common, dangerous and are too often untested. 2. Security experts need to know that these must be tested manually and must not be overlooked. It is imperative to complement automated testing process with a human discovery of security risks that can be exploited

4 min AppSpider

7 Deadly Sins: Unlock the Gates of Mobile Hacking Heaven

I've spent the past year hacking mobile applications in an effort to uncover the most common security mistakes made during development. I found that most of the problems are related to session management – the process of authenticating the user and ensuring an attacker isn't impersonating a user or eavesdropping on the service. In most cases, a vulnerability in any single area isn't a significant liability. However, the more mistakes that are made, the easier it is to attack the app. Here is wh
3 min AppSpider

Security Testing Complex Workflows, Not So Complex Anymore

Conducting web application security testing [http://www.rapid7.com/products/appspider/]for complex workflows can be a real pain. In order to find vulnerabilities, valid test data must be passed through exactly as the workflow prescribes. Most web application security testing scanners aren't up for the job, so security testers must supplement their scans with manual testing. If your organization has just a couple applications that aren't changing, then manual testing may not be a big deal, but t
3 min AppSpider

7 Ways to Improve the Accuracy of your Application Security Tests

For more than 10 years, application security testing has been a common practice to identify and remediate vulnerabilities in their web applications. While, it's difficult to figure out the best web security software for your organization, there are seven key techniques that not only increase accuracy of testing in most applications, but also enable teams to leverage expert resources to test necessary areas by hand. IT security experts who conduct application security testing or are trying to fi
4 min AppSpider

Modernize Your Application Security Scanning in Four Easy Steps

You've built modern mobile and rich internet applications (RIAs) that are sure to improve your business' next major revenue stream. Conscious of security, you've ensured that the native application authenticates to the server, and you've run the app through a web application security scanner to identify weaknesses in the code. Those vulnerabilities have been remediated, and now you're ready to go live. Not so fast. Despite your best intentions, chances are good your mobile and rich internet ap
2 min Application Security

Welcome AppSpider! NT OBJECTives Joins the Rapid7 Family

I'm pleased to announce that NT OBJECTives (NTO) -- the technology leader in Web Application Scanning and Dynamic Application Security Testing -- has joined the Rapid7 family. [http://www.rapid7.com/company/news/press-releases/2015/rapid7-acquisition-nt-objectives.jsp] This is an exciting day for both Rapid7 and NT Objectives to combine with an increased focus to help companies protect themselves from increasing threats facing web applications.  Protecting web applications has never been more im
1 min Metasploit

HackMiami Web Application PwnOff - Nexpose w/Metasploit Dominated

During the HackMiami 2013 Hacker Conference [http://hackmiami.org/]held in Miami Beach, a live Web Application Scanner PwnOff contest pitted common web scanning suites against each other. Participates included Acunetix, IBM Rational AppScan, NT OBJECTives NTOSpider, Portswigger Burp, and Rapid7 Nexpose [http://www.rapid7.com/products/nexpose/] with Metasploit [http://www.rapid7.com/products/metasploit/]. In a head-to-head battle each of the automated web application scanning suites went up agai
6 min Nexpose

Guide to HTTP Header Configuration

Guide to HTTP Header Configuration This guide is designed to show how to setup an authenticated web application scan using HTTP Headers using Metasploit as the target web application. We will also go over using the Firebug and Cookie Importer Add-ons in firefox to manually test HTTP headers. The first thing we want to do is open Firefox and download the ‘Cookie Importer' and ‘Firebug' Add-ons. Now that we have our Add-ons installed we will want to restart our brower and then start
1 min Metasploit

Webcast Q&A: OWASP Top 10 and Web App Scanning Webcast

First of all, a big thank you to all of you who participated in our OWASP Top 10 and Web App Scanning webcast last week. (If you missed it, you can view a recording here. [http://information.rapid7.com/on-demand-webcast-owasp-top-10.html?LS=1949402&CS=web] ) Because of an issue with the webcast platform, I wasn't able to see all of the audience questions while we were online. However, my colleagues were able to recover the unanswered questions, so I created questions and answers for them in the

4 min Metasploit

Metasploit Pro 4.6 Adds OWASP Top 10 2013 and Security Auditing Wizards

Today, we released Metasploit Pro 4.6, which brings you some awesome new features for your enterprise security program. Updated Web Application Security Testing with Support for OWASP Top 10 2013 Web applications are gaining more and more traction, both through internally developed applications and by adding SaaS-based solutions. These applications often contain some of the most confidential information in the organization, such as financial and customer data, credit card numbers, medical data,
1 min Events

Wendy Nather on UNITED: Hair Today, Con Tomorrow

It's that time of year again—the UNITED Security Summit [http://www.unitedsummit.org/index.jsp] is just around the corner and I'm excited to be speaking again. Last year's conference combined the intimacy of a smaller, specialized conference with the variety of topics of a larger conference. The sweet spot of size and diversity meant security discussions everywhere: before, during, and after presentations, as well as in the ever-popular “hallway track.” This year I'll be explaining “Why Doing A
2 min Release Notes

Getting the Most from Customizable CSV Exports - Part 6

Hi, my name is Eden Martinez, and I'm a Federal Sales Engineer with Rapid7. Larger environments often list scalability as one of their top problems; specifically, too much data. With current tools, it's not hard to generate large data sets. Most tools are comprehensive with a focus on the largest list of results wins. While you can turn all the knobs on Nexpose up to 11, I've found many enterprise environments prefer to focus on prioritization of vulnerabilities and trending of the results. M
4 min Release Notes

Nexpose Reaches OWASP Top10 Coverage

Rapid7 is proud to announce that Nexpose's 5.1 web application scanning capabilities can now detect all types of vulnerabilities in OWASP's Top10 [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project]! We've completed this task with the addition of two new vulnerability checks, A5: Cross-Site Request Forgery (CSRF) [https://www.owasp.org/index.php/Top_10_2010-A5] and A8: Failure to Restrict URL Access [https://www.owasp.org/index.php/Top_10_2010-A8] . The next paragraphs will describe

1 min Release Notes

New w3af release! (1.1)

Today we're releasing w3af's 1.1 version which includes the following changes: * Considerably increased performance by implementing gzip encoding * Enhanced embedded bug report system using Trac's XMLRPC * Fixed hundreds of bugs * Fixed critical bug in auto-update feature * Enhanced integration with other tools (bug fixed and added more info to the file) And of course many others that were not included for the sake of brevity. As usual, you can download the latest version from ht
1 min Application Security

Rapid7 at OWASP AppSec US

OWASP's biggest show is just around the corner! This year's OWASP AppSec USA [http://www.appsecusa.org/] will be held in Minneapolis and Rapid7 is all in. We're sponsoring the show and I'm going to be participating as a speaker [http://www.appsecusa.org/talks.html#wasp] and will be showing w3af tips and tricks at the Open Source Showcase [http://www.appsecusa.org/oss.html] arena. If you haven't heard about Web Application Security Payloads yet, this will be your chance to learn about this new t
2 min Application Security

w3af: winning the fight against encodings!

The Web is not only written in ASCII [http://es.wikipedia.org/wiki/ASCII]. Most of us in the western hemisphere are used to reading different languages which, except from a couple of letters like ñ and ç, can be represented with ASCII [http://es.wikipedia.org/wiki/ASCII] (see also: man ascii) but the world has more to offer with Cyrillic, Chinese, Greek, Arabic and thousands more languages with their own special encodings. With the latest changes we've been working on together with Javier Andal
2 min Nexpose

Detecting LDAP injections

It all started to go wrong when Web applications started to replace internal desktop applications in many companies around the globe and one manager proposed: "We should authenticate access to this application using our Active Directory!" and after some minutes a developer wrote a piece of code that looked like: String ldap_search_query = "(&(user=" username ")(password=" pwd "))"; LDAPCursor ldap_result_cursor = ldapQuery( ldap_search_query ); The idea of having a centralized location for

2 min Flash

Don't get blinded by the Flash!

Flash has become a de-facto standard for Web applications, yet most vulnerability management solutions don't do a very good job verifying Flash content. This is surprising, especially since 98% of workstations have the Adobe Flash player installed, according to an Adobe study. The Flash player itself can contain unpatched vulnerabilities, which most scanners already detect. However, most scanners completely ignore the actual Flash applications and its interactions with the back-end servers.

1 min Networking

w3af: Better, Stronger, Faster

Since our latest release back in November, the w3af team has focused on making the framework better, stronger and faster. By downloading this release you'll be able to enjoy new vulnerability checks, more stable code and a about 15% performance boost in the overall speed of your scan. Here's what's new: * Now using bloom filters [http://en.wikipedia.org/wiki/Bloom_filter] instead of sqlite3 databases, which are persistent on disk, effectively increasing scan performance by about 15%!

2 min Exploits

Sesame open: Auditing password security with Metasploit 3.5.1

Secret passwords don't only get you into Aladdin's cave or the tree house, but also into corporate networks and bank accounts. Yet, they are one of the weakest ways to protect access. Sure, there are better ways to secure access, such as smart cards or one-time password tokens, but these are still far from being deployed everywhere although the technology has matured considerably over the past years. Passwords are still the easiest way into a network. The new Metasploit version 3.5.1 adds a l
2 min Application Security

Open source on steroids: How we boosted w3af development

I'm thrilled to announce that we're releasing w3af version 1.0-rc4 and that it offers users many great new features. But, I'm even more excited to say that the release isn't the big news. The major achievement is the story behind the release and the effort put in by our contributors, our core developer Javier Andalia, and Rapid7, the sponsor who makes it all happen. For the first time in the w3af project's life, we have a roadmap [https://sourceforge.net/apps/trac/w3af/roadmap] , a prioritized b
2 min Exploits

Take an earlier flight home with the new Metasploit Pro

We love it, our beta testers loved it, and we trust you will as well: today we're introducing Metasploit Pro [http://www.rapid7.com/products/metasploit-pro.jsp], our newest addition to the Metasploit family, made for penetration testers who need a bigger, and better, bag of tricks. Metasploit Pro provides advanced penetration testing capabilities, including web application exploitation and social engineering. The feedback from our beta testers has been fantastic, most people loved how easily