Securing Complex Web Applications with DAST Solutions

March 30, 2016

In today’s Whiteboard Wednesday, Kim Dinerman, Solutions Marketing Manager at Rapid7, will discuss a common problem within the web application security field, app complexity and how it erodes web application scanner coverage.

Watch this video to understand the progression in web application complexity over the past 20+ years and how it has affected web app security. We will also provide you with actionable advice to maximize scanner coverage across the most complex web applications.

Are you interested in securing complex web applications?


Video Transcript

Hi, welcome to this week's Whiteboard Wednesday. I'm Kim Dinerman, and I'm the solutions marketing manager for AppSpider. Today's topic is keeping up with application complexity. If you're responsible for application security, this is probably something you're already thinking about, and maybe something that's really causing a big challenge for you. Keeping up with application complexity is tough, especially in today's world. We have restful APIs, we have dynamic applications, and we have single page applications, and what happens is if your automated solutions aren't covering, don't have a high coverage of your applications, you may be required to test your applications by hand, and for many organizations today where you have 50, 100, 500, or a 1000 web applications, testing by hand isn't an option. You need automated coverage. So let's take a minute to take a look at the history of application complexity, and what we see happening.

Show more Show less

So originally, we had static web applications, right? They were just pages with information, and what we've seen is application complexity continue to increase to the world we have today. With single page applications, dynamic clients, and restful APIs. Dynamic scanners are always attempting to keep up with these changes, but inevitably we have dips in coverage where we have to re-innovate, and figure out ways to keep up with the changing technology. So if this is dynamic application security testing coverage, what we see is we have dips in the coverage. And a dynamic scanner can never actually cover 100% of an application, there are always things that have to be tested by hand like business logic, but you want maximum coverage.

Now one of the things we've seen in recent years, and that we've heard from security experts is that the coverage of their dynamic scanner has actually eroded in recent years in a more severe way than in the past. And instead of their application their dash scanner giving them more coverage, it's giving them less. And this erosion is something that security teams don't have time for. They need this coverage, so in these recent years with dynamic applications, and AJAX, and restful APIs, and single page applications, again there has been a wider coverage gap. At Rapid7, we are committed to keeping up with today's technologies, and tomorrow's technologies. So we're continually innovating, it's one of our specialties, and one of the things we tend to excel at is keeping this coverage gap closed. So with our technology at Rapid7, we're up here. We close the coverage gap.

Recently we wrote a white paper, a brief white paper that talks about the seven questions to ask your DAST vendor. Talk to your DAST vendor, use this white paper as a guide, it covers the key issues you need to address with your vendor to make sure you're getting maximum coverage, and maximum automation. And keeping up with application complexity is one of the issues we cover in this document.

And that's all for today's Whiteboard Wednesday. We look forward to seeing you next time.