Using DAST to Expand DevOps Security Coverage

The state of application security is constantly evolving with changing web architectures and approaches. These changes are making security teams employ a wider range of techniques and toolsets to find vulnerabilities within their applications. Web and mobile applications each present their own challenges with the different ways that they connect to the Internet and expose organizations to risk. The combination of changing environments and the need for more expansive testing can leave security teams stretched thin. 

The shift to DevOps in many organizations takes these pressures and further amplifies them for security teams. Security can’t be a hold up to development, but if security isn’t involved in the development process the results can be extremely costly for the organization. In order for security to keep pace with development they need to adopt new toolsets that allow them to quickly scan applications as quickly as development teams release new builds. 

Rapid7’s Appspider looks at the various layers in applications and collects information on the type of risks each one can face. Appspider identifies new and existing technologies being used in the application to identify potential areas of risk so security professionals can focus their testing efforts on what’s new since the last round of testing. Then, by running dynamic application security testing (DAST) scans through Appspider on those high risk areas teams can quickly identify vulnerabilities in their application. 

ThreadFix allows you to correlate vulnerabilities found using DAST testing with those found in static application security testing (SAST) and manual security testing. It then automatically ranks those vulnerabilities by the level of risk associated with them to give you a more complete view of your application’s security.

By integrating Rapid7 Appsider into your ThreadFix deployment, you can schedule scans and how often their results are imported. Then using other integrations in the ThreadFix API, you can have those vulnerabilities sent to defect trackers as tickets for your developers to work on. This allows you to embed security directly into your DevOps pipelines as part of a more comprehensive application security program.