3 min
InsightAppSec
3 Questions to Ask When Prioritizing Web Application Vulnerabilities
Dynamic application security testing (DAST)
[https://www.rapid7.com/fundamentals/dast/] often results in a constantly
evolving list of security vulnerabilities. When scanning a web application
[https://www.rapid7.com/fundamentals/web-application-security/] in production or
in an active testing environment, issues can crop up as quickly as changes
happen within the app. And when exposed to the internet itself, there are many
more ways in which security vulnerabilities
[https://www.rapid7.com/fund
4 min
Application Security
4 Differences Between Network Security & Application Security
Tomato, tomato, potato, potato, network security
[https://www.rapid7.com/fundamentals/what-is-network-security/] and web
application security
[https://www.rapid7.com/fundamentals/web-application-security/]. Two things that
may seem similar, they are actually quite different. Network security (also
known as vulnerability assessment or vulnerability management
[https://www.rapid7.com/solutions/vulnerability-management/]) has been around
for quite some time and is something most security practition
2 min
Application Security
The Magic Behind Managed Application Security Services
When I was younger, one of my favorite gifts was a magic kit. My dad did magic
tricks with cards and rope, and whenever I asked how he did it, he’d say, “A
magician never tells his secrets.” Part of why I loved that gift so much is I
got to be the magician—and I got a glimpse of the secrets.
Whenever I spend time with the Managed Application Security team at Rapid7, I
feel like I did when I was younger: excited to learn about how the magic works.
Here are some of the secrets I’ve learned.
Appl
3 min
InsightAppSec
InsightAppSec Feature Highlights: On-Premise Engines, JIRA Integration, and More
Powerful Yet Simple DAST Scanning Gets Even Better
InsightAppSec [https://www.rapid7.com/products/insightappsec/], Rapid7’s
cloud-powered web application security testing solution
[https://www.rapid7.com/solutions/application-security/], has added three
powerful new features:
* On-premise scan engines
* JIRA integration
* Scan Activity view
Test Your Internal Applications and Reduce Your Risk
Web application security testing
[https://www.rapid7.com/fundamentals/web-application-security-test
2 min
Application Security
Takeaways from 2017 SANS State of Application Security Survey
The training and research organization SANS recently released their 2017 State
of Application Security survey results. The new report proves that now, more
than ever, organizations need to invest in solutions that automate application
security testing [https://www.rapid7.com/solutions/application-security/] in
order to reap benefits like:
* Identifying security vulnerabilities earlier in the development cycle, when
they’re cheaper to fix.
* Reduced friction between Security and Development
4 min
Application Security
What Is User Enumeration?
User enumeration is when a malicious actor can use brute-force to either guess or confirm valid users in a system.
1 min
Application Security
Apache Struts Vulnerability (CVE-2017-5638) Protection: Scanning with Nexpose
On March 9th, 2017 we highlighted the availability of a vulnerability check in
Nexpose for CVE-2017-5638
[https://rapid7.com/db/modules/exploit/multi/http/struts2_content_type_ognl] –
see the full blog post describing the Apache Struts vulnerability here
[/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild]. This check would
be performed against the root URI of any HTTP/S endpoints discovered during a
scan.
On March 10th, 2017 we added an additional check that would work in conjunctio
4 min
Application Security
AppSpider application security scanning solution deepens support for Single Page Applications - ReactJS
Today, Rapid7 is pleased to announce an AppSpider (application security
scanning) update that includes enhanced support for JavaScript Single Page
Applications (SPAs) built with ReactJS. This release is significant because SPAs
are proliferating rapidly and increasingly creating challenges for security
teams. Some of the key challenges with securing SPA's are:
1. Diverse frameworks - The diversity and number of JavaScript frameworks
contributes to the complexity in finding adequate scan co
7 min
DevOps
Honing Your Application Security Chops on DevSecOps
Integrating Application Security with Rapid Delivery
Any development shop worth its salt has been honing their chops on DevOps tools
and technologies lately, either sharpening an already practiced skill set or
brushing up on new tips, tricks, and best practices. In this blog, we'll examine
how the rise of DevOps and DevSecOps
[https://www.rapid7.com/fundamentals/devsecops/] have helped to speed
application development while simultaneously enabling teams to embed application
security earlier into
3 min
AppSpider
RESTful Web Services: Security Testing Made Easy (Finally)
AppSpider's got even more Swagger now!
As you may remember, we first launched improved RESTful web services security
testing
[/2015/12/17/appspider-s-got-swagger-the-first-end-to-end-security-testing-for-rest-apis]
last year. Since that time, you have been able to test the REST APIs that have
a Swagger definition file, automatically without capturing proxy traffic. Now,
we have expanded upon that functionality so that AppSpider can automatically
discover Swagger definition files as part of the
2 min
DAST
Modern Applications Require Modern DAST Solutions
Is your Dynamic Application Security Testing (DAST) solution leaving you
exposed?
We all know the story of the Emperor's New Clothes. A dapper Emperor is
convinced by a tailor that he has the most incredible set of clothes that are
only visible to the wise. The emperor purchases them, but cannot see them
because it is just a ruse. There are no clothes. Unwilling to admit that he
doesn't see the clothes, he wanders out in public in front of all of his
subjects, proclaiming the clothes' beauty unt
3 min
Application Security
All Red Team, All the Time
In last week's blog [/2015/09/17/push-vs-pull-security] (which you should read
now if you have not), I said:
> The core problem with security today isn't about technology. It's about
misaligned incentives. We are trying to push security onto people, teams, and
processes that just don't want it.
To be clear, it's not that people don't care. They say they want security, and I
believe them. Or more precisely, part of their brain wants security. People who
want to break a bad habit
[/2015/07/09/c
6 min
Nexpose
Guide to HTTP Header Configuration
Guide to HTTP Header Configuration
This guide is designed to show how to setup an authenticated web application
scan using HTTP Headers using Metasploit as the target web application. We will
also go over using the Firebug and Cookie Importer Add-ons in firefox to
manually test HTTP headers.
The first thing we want to do is open Firefox and download the ‘Cookie Importer'
and ‘Firebug' Add-ons.
Now that we have our Add-ons installed we will want to restart our brower and
then start
3 min
Release Notes
Nexpose Reaches OWASP Top10 Coverage
Rapid7 is proud to announce that Nexpose's 5.1 web application scanning
capabilities can now detect all types of vulnerabilities in OWASP's Top10
[https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project]! We've
completed this task with the addition of two new vulnerability checks, A5:
Cross-Site Request Forgery (CSRF)
[https://www.owasp.org/index.php/Top_10_2010-A5] and A8: Failure to Restrict
URL
Access [https://www.owasp.org/index.php/Top_10_2010-A8] . The next paragraphs
will describe
2 min
Exploits
Take an Earlier Flight Home with the New Metasploit Pro
We love it, our beta testers loved it, and we trust you will as well: today
we're introducing Metasploit Pro
[http://www.rapid7.com/products/metasploit-pro.jsp], our newest addition to the
Metasploit family, made for penetration testers who need a bigger, and better,
bag of tricks.
Metasploit Pro provides advanced penetration testing
capabilities, including web application exploitation and social
engineering.
The feedback from our beta testers has been fantastic, most people loved how
easily