Web Application Security Software: The Widening Coverage Gap

August 19, 2015

In this Whiteboard Wednesday Kim Dinerman, Product Marketing Manager at Rapid7, will discuss web application security scanning and how crucial it is to find an application scanner that can test the most modern applications out there today.

Kim will quickly walk through the evolution of web application software and explain why a lot of today's scanners are unable to affectively scan modern applications.

If you are in the marketing for web application software, check out Rapid7's new AppSpider product here.

Video Transcript

Hello, and welcome to today's Whiteboard Wednesday. My name is Kim Dinerman. I'm a product manager for Rapid7's AppSpider. Today we are going to talk about web application scanning and the widening coverage gap. Let's talk a little bit about what coverage means to application scanning. When we talk about coverage of an application, we want the scanner to cover, or test, or analyze as much of the application as possible. What we have found over the last 15 years in application security is that as application complexity increases, oftentimes scanner coverage gets eroded or decreases, and we have a widening coverage gap.

Show more Show less

So, let's look especially at what's happened with applications. Early, let's say in the year 2000, we had static web pages for SureWare, static sites. We built scanners then to cover these static sites. What's happened is we've then added JavaScript, Web 2.0, and Web 3.0. Today for Web 2.0 and Web 3.0, we really need a very different kind of application scanner. It's not the same scanner that we use to scan static pages. Scanners need to be re-architected and reinvented to understand these newer technologies. That's why this huge gap exists in coverage, and we want higher coverage to reduce the manual work that we have and find more vulns.

So, let's talk about some of the specific places where scanners may not be getting to and may not be covering your applications. First, we have rich internet applications and HTML5, particularly AJAX is big one, AJAX, HTML5. AJAX gives scanners a tough time sometimes. It is tough to scan. It can go very deep, but scanners can cover it and can automate the process of analyzing AJAX. So it's important to look for a scanner that is capable of AJAX, and if you have AJAX in your applications, be sure to make sure that the scanner is getting down in there in that AJAX and in the DOM.

In mobile applications, there are mobile clients and mobile backends. Mobile clients can be scanned and can be assessed and mobile backends can be assessed. A lot of people think that you are not able to assess a mobile backend and a lot of security teams aren't even thinking of the mobile backend. So the mobile backends can be tested automatically. They're often restful interfaces that are written in JSON, and a scanner can analyze and attack that mobile backend and find vulnerabilities in it. Similarly we have APIs, restful interfaces, written in JSON, XML, RPC or SOAP. And again, these APIs, there is a lot we can do to test those automatically. They do not have to be only tested by hand.

Finally, we have application workflows. The way most scanners work is they test applications at random, and they need to be effective. But for an application workflow, we must test the workflow in the prescribed order. First, you have to give your name, and then your credit card, and then the expiration date, etc. in order for it to work. If you go out of order, the test won't be effective. In addition, we have to give it expected data. We have to put credit card data in the credit card form and date information in the date, etc. to get an effective test. So it is important to find a scanner that can test the application workflow in the prescribed order, with expected data, and also test the other parts of the application randomly. The scanner has to be able to do both of those.

So, if I could leave you with one thing, I would say be sure you understand if these technologies exist in the applications that you're responsible for securing and what kind of coverage are you currently getting with both your scanning and your manual testing. If you're in the market to improve your existing coverage of your applications, check out Rapid7.com and specifically AppSpider. Thank you for watching this week's Whiteboard Wednesday. We'll talk to you next week.

See AppSpider in Action

Find out from the experts how AppSpider can find and reduce risk in even your most complex applications.

Watch Demo