Posts tagged Application Security

3 min Application Security

In Our Customers’ Words: Why Mastering Application Security Basics Matters

In a recent conversation with a Rapid7 application security customer, I was reminded how much of a security practitioner’s day can be consumed by troubleshooting buggy tools and manually executing the same tasks over and over again (needlessly, may I add). As much as we’d like to think that security professionals’ time is being efficiently utilized, oftentimes inadequate tools, a lack of automation, and organizational silos impede SecOps-driven [] progress

2 min Application Security

New InsightAppSec Releases: Compliance Reports and the AppSec Toolkit

Things are always brewing in Rapid7 product development. Today, we’re excited to announce several exciting new features in InsightAppSec, our cloud-powered application security testing solution for modern web apps []. These include: * Custom reports for PCI, HIPAA, SOX, and OWASP 2017 compliance requirements * PDF report generation * The Rapid7 AppSec Toolkit * Macro Recorder * Traffic Viewer * RegEx Builder * Swagger/Rest API Utilit

4 min Application Security

How DevOps Can Use Quality Gates for Security Checks

Your team has been working at all hours to put the final touches on code for a new big feature release. All the specs are in, the feature works as expected, and the code is pushed to production. A few hours later, the daily security scan runs and the alerts start piling in. What went wrong? And what do you do now? Typically when this happens, it means rolling back the entire deployment, retroactively fixing the bugs and vulnerabilities in the code, and a week or two later, re-deploying. If you’

4 min Application Security

Diving Deep and Finding Vulnerabilities in Modern Web Applications

As more and more companies shift the responsibility of security earlier [] in the software development lifecycle (SDLC), DevOps teams are being tasked with detecting vulnerabilities within their applications. Already scrambling to keep up with the terminology, processes, and technologies of modern-day security, DevOps teams also have to contend with the dynamic complexities of securing web apps [

3 min Application Security

The Jet Age of WAF: Application Awareness

For the final installment in our history of web security, it's time to bring the story in to the present. The problem with bronze-age techniques,aka the stateful waf [/stateful-waf-aka-the-bronze-age], is that they put a security engine in front of your application that needs to build a model of what the application does. Your ability to build effective security is directly related to the accuracy of the application model. As long as the model accurately predicts the application's behavior, ev

2 min GDPR

Securing Personal Information in Web Applications for GDPR

The General Data Protection Regulation (GDPR) [], is just around the corner: it comes into effect on May 25, 2018. If you feel a refresher on this far-reaching privacy law is in order, we’ve got a lot of great content [/tag/gdpr/] to help you and your organization get ready. Now, how do most organizations collect personal information from users these days? Web applications, of course! And as we know [],

7 min Application Security

Getting your Spidey on with Mobile Apps

As web applications continue to proliferate in the attack surface and more people make protecting them a priority, there is also a shift in the definition of a “web application,” and how we understand their potential vulnerabilities []. A perfect illustration? OWASP finally incorporating APIs in their Top Ten. While this is a good start, we as a community need to continue to push the envelope on how we look at web application s

4 min Application Security

3 Ways to Accelerate Web App Security Testing

It used to be that web application security testing [] was the job of just the security team. Today, it is becoming a much more integrative function, especially for organizations who have adopted DevOps [/2015/03/13/getting-started-with-devops/]. Development cycles have become shorter and features are released more frequently for companies to stay competitive. Trouble is, with shorter development cycles, security needs a way to keep up. After

2 min InsightAppSec

How to Scan Your Own Application with the InsightAppSec Free Trial

We think this is pretty sweet news. You asked, we built it—now you can scan one of your own applications with an InsightAppSec trial! But before you start scanning your own application with the InsightAppSec free trial [], you’ll need to validate your application’s domain. This requires adding a custom-generated meta tag to your application’s root path. Let’s get started. When adding your app to the InsightAppSec free trial, you’ll be given an option to

2 min InsightAppSec

Making the Dream Work: Teaming with Dev for Safer Production Apps

So you’ve read the reports outlining how important it is for developers and security teams to work together to build web applications quickly and securely [] , you’ve scoured the web and have researched the importance of building a web application program at your organization [], perhaps even watched some videos talking about the evolution of web applications an

3 min InsightAppSec

3 Questions to Ask When Prioritizing Web Application Vulnerabilities

Dynamic application security testing (DAST) often results in a constantly evolving list of security vulnerabilities. When scanning a web application [] in production or in an active testing environment, issues can crop up as quickly as changes happen within the app. And when exposed to the internet itself, there are many more ways in which security vulnerabilities []

4 min InsightAppSec

The 4 Big Differences Between Network Security and Web Application Security

Tomato, tomato, potato, potato, network security and web application security []. Two things that may seem similar, they are actually quite different. Network security (also known as vulnerability assessment or vulnerability management []) has been around for quite some time and is something most security practitioners today know well. Web application security, however, is still not wi

4 min Application Security

Fast and Secure SDLC: 4 Barriers to Tackle for Better Web Application Security

It’s been months in the making. It promises to generate new revenue for the business. And there’s one team that hasn’t seen it yet. We’re talking about your shiny new web application. Back in the day, it used to be that development would create an application, throw it over the wall to security to review, and security would return back a laundry list of issues that needed to be fixed before it could be pushed to production. Or, perhaps worse, apps are reviewed only after they are pushed to produ

2 min Application Security

The Magic Behind Rapid7 Managed Application Security Services

When I was younger, one of my favorite gifts was a magic kit. My dad did magic tricks with cards and rope, and whenever I asked how he did it, he’d say, “A magician never tells his secrets.” Part of why I loved that gift so much is I got to be the magician—and I got a glimpse of the secrets. Whenever I spend time with the Managed Application Security team at Rapid7, I feel like I did when I was younger: excited to learn about how the magic works. Here are some of the secrets I’ve learned. Appl

3 min InsightAppSec

InsightAppSec Feature Highlights: On-Premise Engines, JIRA Integration, and More

Powerful Yet Simple DAST Scanning Gets Even Better InsightAppSec [], Rapid7’s cloud-powered web application security testing solution [], has added three powerful new features: * On-premise scan engines * JIRA integration * Scan Activity view Test Your Internal Applications and Reduce Your Risk Web application security testing [