APPSPIDER: WEB APPLICATION SECURITY SCANNING FOR THE MODERN WORLD

Discover security holes in even the most complex applications.

While today's malicious attackers pursue a variety of goals, they share a preferred channel of attack - the millions of custom web, mobile, and cloud applications companies deploy to serve their customers. AppSpider dynamically scans these applications for vulnerabilities across all modern technologies, provides tools that speed remediation, and monitors applications for changes.

AppSpider Trial

Application Assessment for the Modern World

Get the Trial Today

Know Your Weak Points

Dynamic Application Security Testing

Close the Coverage Gap with Universal Translator

You can't find what you can't see. Only AppSpider gives you full automated coverage throughout all corners of your application ecosystem to identify web application vulnerabilities.

Coverage is the first step to scanner accuracy. Scanners were originally built with a crawl and attack architecture, but crawling doesn't work for dynamic rich clients, APIs, and microservices. AppSpider goes beyond testing traditional name=value pair formats in HTML. It's Universal Translator interprets newer technologies used in web and mobile applications,including API’s and microservices (AJAX, GWT, REST, JSON, etc.). AppSpider provides broad coverage needed for today's wide variety of web applications.

Intelligent Web Application Testing

Attack with intelligence

AppSpider doesn't test known application vulnerabilities because we know today's applications are custom with unique site structures, parameter names, and responses. It creates custom attacks based on your architecture to give you the most accurate results. To more accurately simulate real world attacks, AppSpider conducts positioning and proximity form analysis to intelligently input the data that the form is expecting.

Continuous Web Application Monitoring

Continuously monitor your applications

Don't let unknown risks keep you up at night. AppSpider's continuous site monitoring identifies changes in your application ecosystem that inadvertently inject new vulnerabilities. It then triggers a re-scan according to configurable settings.

Authenticate Application Security Tools

Stay authenticated for deep assessment

Most applications are custom and each application has its own authentication approach. Scanners must be able to recognize the authentication form, know whether the login was successful, and handle single sign-on. AppSpider is capable of authenticating on even the most complex authentication approaches as well as the following web service solutions: Oauth, HMAC, Integrated NONCE, and user defined.

Prioritize What Matters Most

Deeper Web Application Testing

Conduct deeper analysis with interactive reports

AppSpider includes interactive actionable reports that prioritize the highest risk and streamline remediation efforts by enabling users to quickly get to and analyze the data that matters most. With one click, you can drill deep into a vulnerability to get more information and replay attacks in real-time.

Shifting through pages and pages of application vulnerabilities in a PDF report takes too much time. AppSpider provides interactive actionable reports that behave like web pages with great organization and links for deeper analysis. Analysis is easy because findings are organized and consolidated by attack types (XSS, SQLi, etc.) and with one click, you can drill deep into a vulnerability to get more information. AppSpider's sophisticated reports reduce remediation time and streamline communication with developers.

Re-play Web Application Attacks

Quickly re-play web attacks

When reviewing a vulnerability report, it helps to be able to reproduce vulnerabilities to confirm that they are exploitable or to demonstrate the vulnerability to others. AppSpider's attack replay feature allows you to reproduce individual attacks in real-time with just one click.

Organized Web Application Testing

Categorize applications for easy reporting

Every organization is different and needs to organize their data and reports in different ways. AppSpider enables this flexibility through user-defined meta-data. The meta-data facilitates custom reporting and provides a graphical view of your security posture across all enterprise applications. You can define tags to view applications and vulnerabilities from different vantage points, including business unit, business risk/criticality, owner, location, or any other category that helps you organize your applications. In addition, you can define trending data to show vulnerability trends over time.

Improve Your Position

Controlled Application Security Scanner

Manage and control application security programs

Attackers don't wait until you remediate your vulnerabilities. AppSpider helps speed remediation efforts by enabling meaningful, automated collaboration between developers and security experts. And, while you are working to fix vulnerabilities at the source, AppSpider enables you to quickly patch your WAF or IPS.

In order to improve your overall security posture, you need a high-level view of your application security program that enables you to see where things stand and if they are improving. AppSpider provides centralized control and reporting over all aspects of your program, including scan configuration, scheduling, and monitoring. Through the easy-to-use list of scans configured in the system, you can see and manage the entire list of completed scans, search by scan configuration, start time, finish time, or configuration name.

Automate virtual patching

Automate virtual patching

Using innovative automated rule generation, AppSpider Defend helps security professionals patch web application vulnerabilities in a matter of minutes, instead of days or weeks. Unlike broad facing rules, AppSpider's unique virtual patching capabilities allow you to automatically create targeted patches that address web application vulnerabilities without negatively impacting your business critical application. By eliminating the need to build a custom rule for a web application firewall (WAF) or intrusion prevention system (IPS), AppSpider allows you to identify the root cause of the problem and fix it in the code quickly.

Meet Web Application Scanning Compliance Requirements

Meet compliance requirements

Keeping up with industry best practices, legal and regulatory compliance issues is no easy task. AppSpider helps your team quickly see gaps in compliance and well known best practices including: PCI, FISMA, SOX, HIPAAA, GLBA, OWASP, and more.

Setting up the web application scanner

Integrate SDLC into your workflow

Your development team is already using build, QA, and ticketing systems. AppSpider easily integrates with these tools to improve productivity and address web application security issues before they reach your production environment. You'll be able to find security issues earlier in the development lifecycle by incorporating it into your Continuous Integration (Jenkins) process and testing through QA testing automation tools and scripts (Selenium). AppSpider is also capable of adding tickets to the most popular bug tracking systems (RSA Archer, HP Quality Center, and Atlassian's JIRA).

[AppSpider] should be considered by enterprises seeking an easy-to-use, full-featured DAST that is competitively priced as an alternative to the larger players' DAST technologies.

Gartner,
Critical Capabilities Report, 2014,
22 September 2014,
Neil MacDonald, Joseph Feiman

AppSpider Checks for:

  • Apache Struts 2 Framework Checks
  • Apache Struts Detection
  • Arbitrary File Upload
  • Autocomplete attribute
  • Blind SQL (improved)
  • Brute Force (Form Auth)
  • Brute Force (HTTP Auth)
  • Business logic abuse attacks
  • Cookie attributes
  • Credentials stored in clear text in a cookie
  • Cross-Site Request Forgery (CSRF)
  • Cross-site scripting (XSS), DOM based
  • Cross-site scripting (XSS), reflected
  • Cross-site tracing (XST)
  • Directory Indexing
  • Email Disclosure
  • Forced Browsing
  • Form Session Strength
  • HTTP Response Splitting
  • HTTP Strict Transport Security
  • HTTPS Downgrade
  • Information Disclosure
  • Information Leakage
  • Java Grinder
  • OS Commanding
  • Parameter Fuzzing
  • Predictable Resource Location
  • Privacy Disclosure
  • Profanity
  • Reflection
  • Remote File Include (RFI)
  • Reverse Proxy
  • Secure and non-secure content mix
  • Server Configuration
  • Session Fixation
  • Session Strength
  • Source Code Disclosure
  • SQL Injection
  • SQL injection Auth Bypass
  • SSL Strength
  • Unvalidated Redirect
  • URL rewriting
  • Web Beacon
  • Web Service Parameter Fuzzing
  • X-Frame-Options missing HTTP header
  • X-XSS-Protection missing HTTP header
  • Z-Customer created attack

AppSpider Product Sheet

Application Assessment for the
Modern World
 Download now

Rapid7 AppSpider Achieves Highest Score from Gartner for Web Application Security Testing

 Read Now

Free Trial Download

Request a free 15-day trial today
 REQUEST A TRIAL