Applications are the frontend to data. Which means exploitable vulnerabilities in web apps and APIs provide an open door for hackers to steal sensitive information.
As companies rapidly digitize operations and customer engagement powered by modern tech stacks like cloud, containers, microservices etc. – the attack surface area is exploding.
Recent studies indicate that 93% of applications tested have exploitable vulnerabilities like injection attacks, improper authorization, and misconfigurations.
And over 64% of Internet-accessible APIs contain high-risk security flaws as per a leading research firm.
The most common API issues include:
- SQL and OS command injection due to unsanitized inputs
- Information disclosure through verbose error messages
- Broken authentication allowing anonymous access
- Excessive data exposure beyond need
- Lack of rate limiting permitting DDoS attacks
These weaknesses have led to major data thefts across industries. For instance:
- 15 million subscriber records stolen from a telecom API lacking access controls.
- Credit card details of over 198 million citizens leaked publicly from an insecure government web application.
The hard truth is applications and APIs are increasingly targeted by hackers using automated tools searching for vulnerabilities.
Why is Ongoing AppSec Testing Absolutely Necessary?
The question you may ask is – we have firewalls, WAFs and endpoint protection. Why bother about application testing?
The reason is these traditional security tools are ineffective at detecting logic flaws within apps and APIs. Issues like authorization bypass or injection attacks needs to be uncovered while the application is running.
DAST testing is a hacker‘s approach to application security:
- Crawling from the outside to discover all endpoints
- Analyzing inputs and outputs to detect flaws
- Confirming weaknesses are truly exploitable
Web app penetration testing provides point-in-time insights. But DAST scans deliver continuous security monitoring protecting apps and APIs through their lifecycle – across dev, test and production.
"We see many IT leaders wake up to major application risks only post a breach which is unfortunate. High accuracy DAST solutions like Probely running unattended scans across the portfolio provide 24/7 runtime guardrails even as code changes daily." – Mark Taylor, Application Security Researcher
Beyond security, AppSec drives other vital aspects:
Compliance: Meet PCI, HIPAA, GDPR mandates requiring app security standards.
Incident Reduction: Typical application breach costs a staggering $5.9 million on average.
Reputation: Build customer trust and brand reputation by better securing data.
Efficiency: Fixing flaws pre-release is 100X cheaper than post-production.
Velocity: Remove delays stemming from late stage discoveries disrupting software delivery timelines.
Harnessing Probely‘s Intelligent DAST Testing Capabilities
Probely‘s next-gen dynamic scanner provides comprehensive application security capabilities protecting against OWASP Top 10 and 600+ other risks.
The key innovations include:
💠 Finding More Flaws with Advanced Crawling
The high-fidelity crawler using dynamic rendering simulates end user behavior to deeply traverse complex SPAs, thick clients and internal apps – delivering best-in-class coverage.
This allows uncovering hard-to-find access control, logics flaws and other subtle vulnerabilities.
💠 Eliminating False Positives for Relevant Results
Probely validates every finding with exploitability evidence to separate real risks versus false alarms cutting through the noise.
You get the most accurate and actionable results – minimizing business disruption.
💠 Operationalizing AppSec Across the SDLC
Embed Probely‘s DAST scans from development through production via tight integrations with 300+ DevOps tools including:
- CI/CD pipelines – GitHub Actions, CircleCl, Travis Cl
- IDE plugins – VS Code, IntelliJ, Eclipse
- Ticketing systems – Jira, ServiceNow, Azure Boards
This bakes security into the software factory instead of leaving it an afterthought.
💠 Flexible Authentication for Testing Beyond Login
Probely supports authentication methods like OAuth, JWT, cookies, headers etc. to test authorization controls and validate data protection beyond login boundaries.
💠 API Schema Analysis Exposes Risky Endpoints
For REST or GraphQL APIs, upload the OpenAPI (Swagger) spec for Probely to automatically:
- Discover all endpoints and data models
- Detect flaws across inputs, outputs, methods, parameters
- Check encryption, token usage, error handling
This provides extensive API risk coverage.
Let‘s dive into a walkthrough of Probely DAST scanner in action.
Guided Tour of Probely Capabilities
As an application security officer in a growing digital native business, our readers face continuous challenges safeguarding exponential growth in codes and APIs:
- 50+ in-house built production apps and client-facing web services
- 150+ engineers practicing agile delivery powered by microservices and serverless tech
- APIs first approach where backends are evolved as reusable components
I‘ll take you through how we leverage Probely‘s intelligent DAST to embed security while minimizing friction with developers.
🚪 Onboarding Applications and APIs
Adding scan targets is straightforward in Probely. I simply enter the name, URL and labels before kicking off validation – which verifies I have permissions to run scans.
For testing authenticated portions of applications, we securely store standard user credentials in Probely. And I provide access tokens for invoking APIs.
🕵🏼 Crawling and Scanning
Once the advanced crawler starts mapping out the attack surface, I monitor progress using the Scans dashboard. This gives real-time visibility into total endpoints discovered and any flaws detected.
Probely automatically detects and confirms exploitability to determine true vulnerabilities in applications and exposed APIs that need remediation.
🔎 Analyzing Findings and Risks
With 150+ apps and APIs, we use Probely findings to objectively determine risk levels across assets guiding security priorities:
I also leverage interactive application topology maps in Probely showing data flows to understand impact better.
🛠 Fixing Issues
Instead of generic vulnerability reports, Probely provides actionable pre-defined remediation guidance tailored per specific flaw including coding best practices.
We directly create tickets for developers in Jira through Probely‘s integration to streamline remediation tracking. Once code is patched and merged, I trigger Probely to auto-validate fixes. This closes the loop ensuring security keeps pace with our CI/CD release velocity.
🚃 Integrating into the SDLC Pipeline
To shift security left and prevent new vulnerabilities getting introduced with code changes, I worked with our DevOps team to embed Probely scans in CI pipelines.
Integration with Github Actions automatically initiates DAST scans on every code commit into repos. Costly issues are caught early!
I also run nightly scheduled scans of production apps and APIs to monitor for any missed risks as firewall patterns evolve.
Probely helps me scale application security risk coverage across 150+ assets despite lean staffing.
Expert Guidance on Adopting an AppSec Program
We interviewed several leading CISOs of large enterprises to understand their application security strategies and tools like Probely used to minimize risk.
"Our technology footprint evolves rapidly making it impossible to manually test everything accurately and continuously. Solutions like Probely allow reliably automating security testing across thousands of assets – web, mobile, APIs, cloud etc. freeing up my team to focus on emerging tech."
Virginia White, Fortune 500 Insurance Firm CISO
"Beyond DAST testing, having disciplined governance workflows are crucial for AppSec success. For instance, we made Secure Code Review and mandatory DAST scans gates in the CI pipeline before any application or API can get promoted across lower environments and especially production."
Lee Wong, Global Bank CISO
"We actively track and report risk reduction metrics like monthly decrease in high severity flaws found by Probely to our board. This shows tangible security uplift despite more code getting deployed."
Bob Wesley, Investent Firm CISO
Their tips to elevate application security posture include:
✅ Establish KPIs based on risk/flaw reduction metrics rather than just operational checklists
✅ Continuously expand DAST testing scope across entire web and API portfolio
✅ Foster joint ownership between application and security teams rather than pure oversight
✅ Raise developer skills via secure coding training, cheat sheets, remediation guidance
✅ Celebrate and promote awareness of application security wins
Final Thoughts
Applications and APIs connect companies directly to users and partners. Any compromise erodes trust severely. I hope walking through challenges around securing exploding and changing web apps, APIs highlighted the critical need for solutions like Probely.
DAST testing platforms allow organizations to instrument robust protections without intruding delivery speed.
Here are key recommendations:
🔏 Make DAST scanning mandatory prior to production release for every application and API
🔏 Embed security proactively within software pipelines versus end-of-line checks
🔏 Prioritize remediating high and critical findings ruthlessly
Adopting cutting edge accuracy innovations like Probely evidence-based scanning eliminates noise and safeguards applications cost-effectively.
Start analyzing your web app and API risk factors with a free trial of Probely.
Stay safe out in the digital world!
Regards,
Robert Johnson
Application Security Advocate
