Tag Archives: InsightAppSec

What’s New in InsightAppSec and tCell: Q2 2021 in Review

Post Syndicated from Nate Crampton original https://blog.rapid7.com/2021/07/21/whats-new-in-insightappsec-q2-2021-in-review/

What’s New in InsightAppSec and tCell: Q2 2021 in Review

If there’s a theme to InsightAppSec and tCell updates and improvements in the second quarter, it would be “save time by building it into the process.” Building a more efficient process is key in further securing web applications.

Can you get it done faster from home? Or do you get to the win faster with an in-person team? Do those expensive express lanes work? Or are they just as clogged with traffic as the regular lanes? The world is constantly looking for faster, but the question to ask: is the “fast” also smart? Let’s take a look at InsightAppSec Q2 releases that we think will help you be both.

Identify. API. Scan by.

That last one was just to make the entire headline rhyme. However, the new features and functionality below can (mostly) be grouped into these 3 categories.

Simplifying access to complex apps

You can now get into modern applications faster with “Automated Login.” InsightAppSec enhanced the automated authentication process to go beyond simple HTML forms to include applications built with rich user interfaces. To achieve a more accurate and efficient login process into these applications, InsightAppSec interrogates the web application, using javascript to identify login pages, complete credential fields, trigger login action, and return a confidence score.

Plus streamline automated login with the new “Verify Credentials” feature. Save time and reduce configuration friction to the process by verifying you’ve entered the correct username and password during/early in the scan configuration.

Investing in API enhancements

New API features for both tCell and InsightAppSec create additional checks and balances as well as new avenues for integration with other systems in your environment.

  • Configure policies via API in tCell: Exert greater control by enabling, disabling, or blocking various features via API. You can also reset, enable, or disable the defined Content Security Policy (CSP) for a specified application.
  • Manage security programs via API within InsightAppSec: Manage customer-specific issues more efficiently and run search queries easier with newly included tag management.

Making scans smarter

Another scan upgrade you can now take advantage of within InsightAppSec? “Incremental Scanning.” Help your team to achieve more targeted testing and triaging (that’s a lot of alliteration) by scanning only the parts of an application that are new or have changed.    

There’s also a new way to help security admins help you. Now they can catch all subdomains with 1 addition to the allowlist. This is called a “Wildcard,” and an admin can now delegate scan configuration, no longer needing to specify each subdomain explicitly.

Honorable mentions

Find vulnerabilities faster with filters. Within InsightAppSec, you can enter specific criteria to speed up triaging and prioritization and:

  • Create and save unique filters as well as leverage quick filters based on vulnerability statuses.
  • Navigate throughout applications while maintaining search queries for the session.
  • Quickly apply multiple search criteria — the more filters you add in the search bar, the more refined your results.

Now available at the Chrome web store, version 4.0 improves authentication into your web applications. It also:

  • Gives you greater capabilities to determine whether a vulnerability is valid by replaying an attack.
  • Enables tracking of user actions during authentication.
  • Gives you the ability to import and reference a traffic file within an application by sending requests to the front-end application and back-end server.

Enduring improvements

As a quick reminder, now available is the latest release of InsightAppSec’s next-gen scan engine. You can now remove any content security policy defined in the header or response body by using the new “CrawlConfig” option. You’ll also find fresh CWE references for several modules. Plus discover the latest updates aimed at improving the quality and resilience of your tCell experience.

That’s it for our Q2 ‘21 AppSec release review. We hope you have a successful third quarter and a great season, wherever your business takes you. Until next time…    


Get the latest stories, expertise, and news about security today.

Securing Your Web App, One Robot at a Time

Post Syndicated from Mark Hamill original https://blog.rapid7.com/2021/02/18/securing-your-web-app-one-robot-at-a-time/

Securing Your Web App, One Robot at a Time

Modern web apps are two things: complex, and under persistent attack. Any publicly accessible web application can receive up to tens of thousands of attacks a month. While that sounds like a reason to immediately pull the plug and find a safe space to hide, these are likely spread across the spectrum of harmless to nefarious. However, that level of exposure cannot be ignored.

According to the Verizon Data Breach Investigations Report (DBIR), in 2020, “67% of all confirmed breaches analyzed in this report came from user credentials being leaked, misconfiguration in cloud assets and web apps, and social engineering attacks.” Of that total, 43% of the breaches came with the primary attack vector being a web application.  

At Rapid7, we are always looking for ways to improve our coverage, and while crawling modern web apps is a tricky business, we thought to ourselves, “If I were a web application, what would I tell my friendly neighborhood Spiderman application security professional about where to look for issues?” This was a trigger for some engaging conversation, where we sought to understand what additional resources were readily available to help guide a DAST scan. What resources does a web application provide that we could hook into in order to discover more links when scanning for vulnerabilities?

With the help of Rapid7’s senior director, chief security data scientist Bob Rudis, we found that robots.txt is in use for about 40% of the Alexa top 1 million sites, and sitemap.xml is in use for about 3% of the same apps (virtually all of which use the uncompressed XML version rather than the *.gz)

Given the popularity and commonplace of these resources, InsightAppSec has just launched the ability to allow users to opt in to searching for links in these files. If the files exist, we simply grab the links and add them to the path we navigate through a web application looking for vulnerabilities.

Securing Your Web App, One Robot at a Time

Now, I know what you are thinking. “Isn’t the point of robots.txt to stop scanners and search engines spidering my sites?” This is a common misconception.  The robots.txt file does tell search engine crawlers not to request certain pages or files from your site—but the point isn’t to keep them out, it’s used to avoid overloading a site with requests. This won’t stop a site froom being indexed by a search engine (and if that’s your aim, have a look at the noindex directive).

Most importantly, it certainly won’t stop an attacker from being nosy if they are doing reconnaissance, either in person or via bots/scrapers/scanners. An attacker won’t respect a friendly request not to attack a page, and just as you need to consider the scope of a public web app as fair game for attack —you should mirror that mindset in your approach to securing web apps.

Worried about your web application security? See InsightAppSec in action for yourself with a free trial, allowing access to scan one of your public web apps.


Get the latest stories, expertise, and news about security today.

What’s New in InsightAppSec and tCell: Q4 2020 in Review

Post Syndicated from Bria Grangard original https://blog.rapid7.com/2021/01/08/whats-new-in-insightappsec-and-tcell-q4-2020-in-review/

What’s New in InsightAppSec and tCell: Q4 2020 in Review

It’s crazy to believe 2020 has come to an end, and we’re sure we’re not alone in our excitement for 2021! Without a doubt, 2020 has presented some challenges for us all in the security world, as many companies quickly adopted a work-from-home model and pivoted from an in-store experience quickly to a digital one. This accelerated digital transformation encouraged us at Rapid7 to create new programs and think about how we can continuously improve the customer experience.

For application security in particular, we saw restaurants creating new apps to facilitate takeout and delivery orders, fast-growing platforms like Instacart and DoorDash developing internal apps to keep in touch with their employees, and small-business owners creating web apps to continue selling their products and services. With the rapid increase in web application development came the need to make sure these applications were as secure as possible.

Here at Rapid7, we view your application security program as a key component of your vulnerability risk management (VRM) program. Considering the challenges of 2020, we wanted to make sure we not only continued to support our existing customers through their challenges, but that we also provided new ways for our customers to get visibility into their application security program while helping them to scale with the pressures of 2020.

We’ve previously recapped some of our product enhancements from this year, such as this blog covering Q2 and this one covering Q3 for 2020, but now we will cover the highlights for Q4. Below, we’ll recap some of the new and exciting features we have released as a part of our application security portfolio (inclusive of our industry-leading testing and monitoring solutions).

Increase your visibility

We continue to hear the desire to gain more visibility into application security programs, which is why we have released:

New ‘All Apps’ report in InsightAppSec

What’s New in InsightAppSec and tCell: Q4 2020 in Review

The New “All Apps” report in InsightAppSec is now available for companies that are looking to get a single view into risk activity across all of their applications and communicate this up to their leadership teams. Want to check it out? Click here to see how you can create your own All Apps report in InsightAppSec today!

New joint ‘All Apps’ and ‘All Assets’ report (between InsightAppSec and InsightVM)

What’s New in InsightAppSec and tCell: Q4 2020 in Review

Are you currently using InsightAppSec and InsightVM and looking for a view into the risk across your vulnerability risk management portfolio? Check out this new joint report, where you can get a single view into your full-stack vulnerability risk management activity across both InsightVM and InsightAppSec. You can find more information about this here!

Scale up with ease

While visibility is a key component to a successful VRM program, many teams were challenged this year with the need to scale their application security programs and activities. We wanted to make it easier on these teams, so we released the following features to help security teams save time and effort when it came to these scaling activities:

Application tagging in InsightAppSec

What’s New in InsightAppSec and tCell: Q4 2020 in Review

You can now easily create and manage tags across one or multiple apps based on what matters to you, such as criticality, tech stack, environment, or business unit. This helps you manage your application portfolio by filtering both apps and vulnerabilities based on these tags.

New pages in InsightAppSec

What’s New in InsightAppSec and tCell: Q4 2020 in Review

We have launched a new global schedule page that allows you to create and manage scan schedules and blackouts in a single view, and we have created a new manage files tab that saves you time when it comes to edits or updates that need to be made to macros for scan authentication (you can now download the macro file and make edits, rather than having to re-record the entire macro!).

What’s New in InsightAppSec and tCell: Q4 2020 in Review

tCell now available in Europe

We understand the importance of data sovereignty, which is why we wanted to make sure we made tCell available globally, with new data centers in Europe and new ones to be added in Q1 of 2021.

AppFirewall filter on IP CIDR ranges and Groups

Looking to reduce the noise and number of events in the AppFirewall dashboard in tCell? We have added filtering on IP Groups and CIDR ranges so you can get faster, more actionable insights.

Keep up with constant change

While we are only highlighting some of our updates above, we recognize application development is ever-changing and we want to be able to support our customers to build secure software. For that reason we wanted to share one more update with you from this quarter:

New Envoy agent in tCell

If you are currently (or looking to explore) leveraging the Envoy Proxy for your cloud-native apps, tCell now has a dedicated Envoy agent that plugs directly into the proxy layer to provide monitoring and protection capabilities for modern architectures. You can find more information on this here!

As always, many of our releases this quarter went through early access programs with our customers, and if you were one of our customers who participated and gave us feedback, we just want to take a moment to say thank you! We appreciate your feedback and always look for ways to incorporate it to make our solutions provide the maximum value to our customers. Want to participate in an on-going or upcoming early access program to have your voice heard on areas where we can continue to improve our products? Reach out to your CSM, who can tell you about ongoing early access programs and get you signed up!

Thank you for your loyalty and support through 2020. We look forward to 2021 and our continued partnership!


Get the latest stories, expertise, and news about security today.

Shifting Security Right: How Cloud-Based SecOps Can Speed Processes While Maintaining Integrity

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2021/01/04/shifting-security-right-how-cloud-based-secops-can-speed-processes-while-maintaining-integrity/

Shifting Security Right: How Cloud-Based SecOps Can Speed Processes While Maintaining Integrity

When it comes to offloading security controls to the cloud, it may seem counterintuitive to the notion of “securing” things. But, when we consider the efficiency to be gained by shifting right with some security controls, it makes sense to send more granular, ground-up responsibilities to a trusted managed services cloud partner. This could help to increase development-and-deployment velocity, without compromising the integrity of your bespoke process.  

Building a true DevSecOps ecosystem is probably a common goal for most teams. However, uncommonality most often enters the picture in the forms of both technical and organizational roadblocks. Let’s take a look at some key insights from a 2020 SANS Institute survey on current industry efforts to more closely integrate DevOps and SecOps—and how you can plot your best path forward.


Get the latest stories, expertise, and news about security today.

The security landscape

In more traditional environments, security teams often feel they’ve been left behind by the pace of DevOps. Vulnerabilities are introduced faster than SecOps can likely find them. The shift is with teams that are building continuous delivery frameworks, with compliance checks at every stage of the game. It becomes a matter of defending the environment as it’s being built.

Currently, about 74% of organizations are deploying changes more than once per month, according to SANS. Often, these are weekly or daily instances. So, velocity is increasing, primarily out of a need to get customers what they need, faster. Traditional change approvals and security controls are becoming more guardrail-style checks. The challenge, however, lies in optimizing the process and keeping it as secure as possible.

Increasing cloud adoption

From a security perspective, transitioning to a cloud provider’s responsibility model can better match the pace of DevOps and increase delivery speed. When both of these velocities are increasing, albeit responsibly, that’s better for business.

  • Cloud-hosted VM platforms allow teams to spin up processes more quickly compared to a traditional setup.
  • Adoption is accelerating for cloud-hosted container services and serverless platforms because providers are doing more provisioning, patching, and upgrading for many existing execution environments.
  • More organizations are running on cloud-hosted VMs versus container services and serverless platforms, but that could change because the latter two options allow you to further reduce your responsibility model.

Multi-cloud motivations

About 92% of organizations run on at least one public cloud provider. But for about 60% of those companies, the main motivations behind spreading services out between multiple providers are not quite as technical as one might imagine.

Mergers and acquisitions can cause obvious complexity, as companies link up and potentially run similar processes in different cloud environments like AWS, Azure, or GCP. There are also decision-makers and teams that prioritize a task-based approach and pick the best environment to get a particular job done. The benefits of a multi-cloud environment could then become drawbacks, as security becomes more difficult to plan for and understand. And no one wants complexity in an approach that is essentially supposed to offload responsibilities and make things easier.

Risk doesn’t translate for SecOps

As more DevOps teams increase their use of JavaScript, traditional security controls don’t support the popular format as well as other legacy languages. In this situation, there is greater risk. However, an older web app that hasn’t been updated in a while could be the tip of the iceberg in terms of the technical debt sitting out there.

Apps built on older languages like Java, .NET, and C++ could leave exposures open as teams roll over to newer languages. So, this situation also presents risk. Security teams may not even be aware they’re in the dark about vulnerabilities those legacy apps present, as they try to keep pace with DevOps.

The future of shifting left

When it comes to security testing phases, there’s still a heavy tendency toward QA. More is being done to integrate those protocols in the process, but the sea change of baking testing into earlier phases largely has yet to occur.  

  • Over the next decade, teams will likely adopt more cloud-based integration tools like AWS CodePipeline, Microsoft Azure DevOps, GitHub Actions, and GitLab CI. In these instances, the cloud provider is managing more for you, minimizing attack surfaces and providing more built-in security. GitHub and GitLab, in particular, are trending toward greater baked-in security.
  • Jenkins has been the continuous integration tool of choice for about the last decade. However, the 24/7 nature of running on-premises or in the cloud to manage builds, releases, and patches can increase the attack surface.
  • When it comes to container orchestration tools, cloud-managed services like AWS Fargate and Azure Container are beginning to pull even with cloud-hosted services like Docker and Kubernetes. It’s becoming more attractive to outsource control-point and hardening responsibilities, so that security can shift further left into containers; it simplifies testing and helps ease deployment.

The future of shifting right

Security-testing responsibility lies with actual security teams about 65% of the time. Yet, managing corrective actions lies with development teams about 63% of the time, according to SANS. These numbers indicate largely siloed actions blocking the path to a true DevSecOps approach.

The biggest success measurement of DevSecOps is the time it takes to fix an issue. Aligning teams to tackle an issue in a speedy manner can make or break. Additionally, identifying post-deployment issues can help to improve shift-left controls to prevent those issues from ever escaping into production.

A 100% cross-functional effort most likely will not be achieved by every organization. However, moving closer to this goal could help strengthen teams, boost morale, and feed back key learnings to ultimately increase the speed of success.

In conclusion

Ironically, the biggest challenge of all isn’t technical in nature. Red tape within organizations can present challenges like lack of buy-in from management, insufficient budget (open-source tools can help here!), and siloed efforts. Additionally, a shortage of skilled workers could reinforce the same old  decision-making patterns at those management levels.  

When it comes to closely aligning teams and getting more time back to innovate, it’s often a cyclical dance of shifting right to improve your efforts in shifting left. For example, can you move further right into the cloud rather than building do-it-yourself, comprehensive solutions to security? Offloading could help to create more controls for enforcing security in tandem with DevOps.

No one wants to compromise the integrity of deploying on time, particularly as it relates to customers and your company’s bottom line. Co-sponsored by Rapid7, this recent SANS webinar presents an in-depth look at key statistics from a recent survey of companies and their advancements—or lack thereof—in DevSecOps.

For more insights, access the full 2020 SANS Institute survey on Extending DevSecOps Security Controls into the Cloud.