13 min
DAST
Unlocking the Power of Macro Authentication in Application Security: Part Two
In this post, we will review how to understand these error messages and what steps to take to get our authentication macro working.
7 min
InsightAppSec
Unlocking the Power of Macro Authentication: Part One
In this blog post, we will review how various components of a macro work and what to keep in mind when recording a macro for authentication.
3 min
Application Security
In Our Customers’ Words: Why Mastering Application Security Basics Matters
In a recent conversation with a Rapid7 application security customer, I was
reminded how much of a security practitioner’s day can be consumed by
troubleshooting buggy tools and manually executing the same tasks over and over
again (needlessly, may I add). As much as we’d like to think that security
professionals’ time is being efficiently utilized, oftentimes inadequate tools,
a lack of automation, and organizational silos impede SecOps-driven
[https://www.rapid7.com/solutions/secops/] progress
2 min
Application Security
New InsightAppSec Releases: Compliance Reports and the AppSec Toolkit
Things are always brewing in Rapid7 product development. Today, we’re excited to
announce several exciting new features in InsightAppSec, our cloud-powered
application security testing solution for modern web apps
[https://www.rapid7.com/products/insightappsec/].
These include:
* Custom reports for PCI, HIPAA, SOX, and OWASP 2017 compliance requirements
* PDF report generation
* The Rapid7 AppSec Toolkit * Macro Recorder
* Traffic Viewer
* RegEx Builder
* Swagger/Rest API Utilit
4 min
Application Security
Diving Deep and Finding Vulnerabilities in Modern Web Applications
As more and more companies shift the responsibility of security earlier
[https://information.rapid7.com/shifting-left-sdlc.html] in the software
development lifecycle (SDLC), DevOps teams are being tasked with detecting
vulnerabilities within their applications. Already scrambling to keep up with
the terminology, processes, and technologies of modern-day security, DevOps
teams also have to contend with the dynamic complexities of securing web apps
[https://www.rapid7.com/fundamentals/web-applica
4 min
DevOps
How DevOps Can Use Quality Gates for Security Checks
Your team has been working at all hours to put the final touches on code for a
new big feature release. All the specs are in, the feature works as expected,
and the code is pushed to production. A few hours later, the daily security scan
runs and the alerts start piling in. What went wrong? And what do you do now?
Typically when this happens, it means rolling back the entire deployment,
retroactively fixing the bugs and vulnerabilities in the code, and a week or two
later, re-deploying. If you’
7 min
Application Security
Getting your Spidey on with Mobile Apps
As web applications continue to proliferate in the attack surface and more
people make protecting them a priority, there is also a shift in the definition
of a “web application,” and how we understand their potential vulnerabilities
[https://www.rapid7.com/fundamentals/web-application-vulnerabilities/]. A
perfect illustration? OWASP finally incorporating APIs in their Top Ten.
While this is a good start, we as a community need to continue to push the
envelope on how we look at web application s
4 min
Application Security
3 Ways to Accelerate Web App Security Testing
It used to be that web application security testing
[https://www.rapid7.com/solutions/application-security/] was the job of just the
security team. Today, it is becoming a much more integrative function,
especially for organizations who have adopted DevOps
[/2015/03/13/getting-started-with-devops/]. Development cycles have become
shorter and features are released more frequently for companies to stay
competitive. Trouble is, with shorter development cycles, security needs a way
to keep up. After
3 min
AppSpider
What's New in AppSpider Pro 7.0?
In the latest release of AppSpider Pro
[https://www.rapid7.com/products/appspider/] version 7.0 you will find some
great new features which will improve the crawling, attack and overall usability
of the product. Below are a few of the key new enhancements you will find in the
release.
Chrome/WebKit Integration
With the introduction of the Chrome/WebKit browser, AppSpider Pro now supports
both Chrome and Internet Explorer as default browsers. These integrated browsers
facilitate AppSpider's craw
2 min
Metasploit
Protecting Your Web Apps with AppSpider Defend Until They Can Be Patched
AppSpider [https://rapid7.com/products/appspider/] scans can detect exploitable
vulnerabilities in your applications, but once these vulnerabilities are
detected how long does it take your development teams to create code fixes for
them? In some cases it could take several days to weeks before a fix/patch to
resolve the vulnerability can be deployed, and during this time someone could be
actively exploiting this issue in your application. AppSpider Defend, which is
now integrated into AppSpide
7 min
Metasploit
Multiple Vulnerabilities Affecting Four Rapid7 Products
Today, we'd like to announce eight vulnerabilities that affect four Rapid7
products, as described in the table below. While all of these issues are
relatively low severity, we want to make sure that our customers have all the
information they need to make informed security decisions regarding their
networks. If you are a Rapid7 customer who has any questions about these issues,
please don't hesitate to contact your customer success manager (CSM), our
support team, or leave a comment below.
For
3 min
Awards
Finalists in FIVE categories at the Network Computing Awards!
Ring Ring! You're in the Final!
It's always nice to get a phone call letting us know that we've been shortlisted
for awards – but when it's five awards, we like those calls even more! Two of
our products, and our company have reached the final stages for the Network
Computing Awards, and of course we'd love it if you took a moment to vote for us
please.
La La Land may have racked up the Oscar noms, but at the Network Computing
Awards it's looking good for LE LE Land!
OK, so we might not quite
2 min
Application Security
Bug, Not Alert: How Application Security Must Use Different Words
"Words matter” is something that comes out of my mouth nearly each day. At work
it matters how we communicate with each other and the words we use might be the
difference between collaboration or confrontation. The same happens with the
security world, especially when we communicate with folks in IT or within the
devops methodology. Last week this became highly apparent sitting with folks
attending OWASP's annual AppSec USA [https://2016.appsecusa.org/], where they
discussed the difference betwe
2 min
AppSpider
Web Application Security Testing: Single Page Applications Built with JavaScript Frameworks
In recent years, more and more applications are being built on popular new
JavaScript frameworks like ReactJS and AngularJS. As is often the case with new
application technologies, these frameworks have created an innovation gap for
most application security scanning solutions and an acute set of challenges for
those of us who focus on web application security
[https://www.rapid7.com/solutions/web-application-security.jsp]. It is
imperative that our application security testing approaches keep p
4 min
Application Security
AppSpider application security scanning solution deepens support for Single Page Applications - ReactJS
Today, Rapid7 is pleased to announce an AppSpider
[https://www.rapid7.com/products/appspider/] (application security scanning)
update that includes enhanced support for JavaScript Single Page Applications
(SPAs) built with ReactJS. This release is significant because SPAs are
proliferating rapidly and increasingly creating challenges for security teams.
Some of the key challenges with securing SPA's are:
1. Diverse frameworks - The diversity and number of JavaScript frameworks
contributes