So, let's look especially at what's happened with applications. Early, let's say in the year 2000, we had static web pages for SureWare, static sites. We built scanners then to cover these static sites. What's happened is we've then added JavaScript, Web 2.0, and Web 3.0. Today for Web 2.0 and Web 3.0, we really need a very different kind of application scanner. It's not the same scanner that we use to scan static pages. Scanners need to be re-architected and reinvented to understand these newer technologies. That's why this huge gap exists in coverage, and we want higher coverage to reduce the manual work that we have and find more vulns.
So, let's talk about some of the specific places where scanners may not be getting to and may not be covering your applications. First, we have rich internet applications and HTML5, particularly AJAX is big one, AJAX, HTML5. AJAX gives scanners a tough time sometimes. It is tough to scan. It can go very deep, but scanners can cover it and can automate the process of analyzing AJAX. So it's important to look for a scanner that is capable of AJAX, and if you have AJAX in your applications, be sure to make sure that the scanner is getting down in there in that AJAX and in the DOM.
In mobile applications, there are mobile clients and mobile backends. Mobile clients can be scanned and can be assessed and mobile backends can be assessed. A lot of people think that you are not able to assess a mobile backend and a lot of security teams aren't even thinking of the mobile backend. So the mobile backends can be tested automatically. They're often restful interfaces that are written in JSON, and a scanner can analyze and attack that mobile backend and find vulnerabilities in it. Similarly we have APIs, restful interfaces, written in JSON, XML, RPC or SOAP. And again, these APIs, there is a lot we can do to test those automatically. They do not have to be only tested by hand.
Finally, we have application workflows. The way most scanners work is they test applications at random, and they need to be effective. But for an application workflow, we must test the workflow in the prescribed order. First, you have to give your name, and then your credit card, and then the expiration date, etc. in order for it to work. If you go out of order, the test won't be effective. In addition, we have to give it expected data. We have to put credit card data in the credit card form and date information in the date, etc. to get an effective test. So it is important to find a scanner that can test the application workflow in the prescribed order, with expected data, and also test the other parts of the application randomly. The scanner has to be able to do both of those.
So, if I could leave you with one thing, I would say be sure you understand if these technologies exist in the applications that you're responsible for securing and what kind of coverage are you currently getting with both your scanning and your manual testing. If you're in the market to improve your existing coverage of your applications, check out Rapid7.com and specifically AppSpider. Thank you for watching this week's Whiteboard Wednesday. We'll talk to you next week.
