Continuous Security Testing

This article explains the advanced functionalities of the Crashtest Security Suite - and how to earn the sweet fruits of automated pentesting in agile development processes.

In the project preferences, you can configure in-depth settings for further fine tuning of your security scan. Especially the automation part is where you can use our software to the fullest extent and get started on your continuous security testing journey (also referred to as "DevSevOps"). 

Authentication

If your system is protected by an authentication, you can specify the needed authentication to access the system.

image16

System authentication: If http basic authentication (.htaccess protection) is enabled, configure the credentials here.

Application authentication: If your application has a login form, you may add credentials here. This only works for Multi Page Applications.

Screenshot 2019-02-15 at 16.35.57

Parameter authentication: This setting allows you to configure HTTP headers, GET parameters, or (session) cookies for authentication. If you would like to get more guidance on how to set up an API for scans, please check out this wiki article.

More advanced authentication flows such as SAML or OAuth2 are described in our advanced authentication article.

Automation

This setting is where you start to reap the benefits of automated pentesting - starting a security scan automatically by time or event.

image17

Scheduled Scan: Configure a daily or weekly schedule so that your scans are started automatically at a certain time a day or week.

image18

Webhook: Create a webhook so that your build system can start a security scan automatically based on your needs. You can easily integrate it into your CI/CD pipeline following the steps explained here.

Notification

Enter a Slack webhook so that we notify you every time a scan has finished. More information on the creation of Slack webhooks can be found here.

image19

Crawler Mode & Throttling

image20

Crawling method
Adjust the crawler mode to define whether the smart crawling should try to detect forms which appear on multiple sites and only scan them once to reduce the scan duration.
You can choose between the following crawling methods:

  • The Smart Crawling mode tries to detect forms, which appear on multiple sites (e.g. a search form) and only scan them once to reduce the scan duration. Depending on the implementation of your web application this might reduce the scan coverage, if an identical form appears on multiple sites, but is processed differently. Please choose the exhaustive crawling if this is the case.
  • The Exhaustive Crawling mode scans each detected form for vulnerabilities. Therefore forms appearing on multiple sites are scanned each time individually. This might significantly increase the scan duration, but can increase the detection rate.

Throttling
Adjust the throttling threshold to limit the maximum amount of requests per second, which are sent to scan your server. Please consider that the threshold influences the scan duration and that certain scanners require a minimum threshold.