Application security

Using DAST to Expand DevOps Security Coverage

Coalfire Cybersecurity Team

June 5, 2020
Blog Images 2022 TF Coalfire logo grey

This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free. 

The state of application security is constantly evolving with changing web architectures and approaches. These changes are making security teams employ a wider range of techniques and tool sets to find vulnerabilities within their applications. Web and mobile applications each present their own challenges with the different ways that they connect to the Internet and expose organizations to risk. The combination of changing environments and the need for more expansive testing can leave security teams stretched thin. 

The shift to DevOps in many organizations takes these pressures and further amplifies them for security teams. Security can’t be a hold up to development, but if security isn’t involved in the development process, the results can be extremely costly for the organization. In order for security to keep pace with development they need to adopt new tool sets that allow them to quickly scan applications as quickly as development teams release new builds. 

Rapid7’s Appspider looks at the various layers in applications and collects information on the type of risks each one can face. Appspider identifies new and existing technologies being used in the application to identify potential areas of risk, so security professionals can focus their testing efforts on what’s new since the last round of testing. Then, by running dynamic application security testing (DAST) scans through Appspider on those high risk areas, teams can quickly identify vulnerabilities in their application. 

ThreadFix® allows you to correlate vulnerabilities found using DAST testing with those found in static application security testing (SAST) and manual security testing. It then automatically ranks those vulnerabilities by the level of risk associated with them to give you a more complete view of your application’s security.

By integrating Rapid7 Appsider into your ThreadFix deployment, you can schedule scans and how often their results are imported. Then, using other integrations in the ThreadFix API, you can have those vulnerabilities sent to defect trackers as tickets for your developers to work on. This allows you to embed security directly into your DevOps pipelines as part of a more comprehensive application security program.