This article summarises users' questions when they first start using Crashtest Security Suite and answers them.
How do I scan my web application for security vulnerabilities?
How can I scan an API for security vulnerabilities?
With APIs playing a more critical role in today's technology, it is essential to scan web applications and APIs for security vulnerabilities. This enables you to scan the backend and communication for mobile apps, such as Apple or Android or HTTP-based IoT devices.
All you need to scan your API is a documentation file, such as Swagger v2 or OpenAPI v3 - JSON or YAML file. The documentation needs to be accessible for our security scanner. This can be done by hosting the documentation somewhere or sending the documentation through our API when starting a scan. Instead of crawling your web application for attack vectors, we get the attack vectors from your API documentation.
How do I test my Single Page application for security vulnerabilities?
How do I prepare my application for a vulnerability scan?
For a vulnerability scan, you should set up your application in such a way that the scan does not interrupt your service, and you can go back to a working state in case of any issues during the scan:
- Ensure that you have permission to conduct a security scan against your application. Talk to all people concerned with the application, such as developers, product owners, or the infrastructure team.
- Inform the monitoring team about the security scan so that no real alert is fired when the security scan starts.
- When doing invasive security scans such as the Crashtest Security Full Scan, scan your application on a test or staging system instead of the production system.
- Do a backup before the vulnerability scan so that you can roll back the system to a working state if needed.
- Create a Test User for the vulnerability scan so that you separate the test data of the vulnerability scan and the other (test) data.
What login methods do vulnerability scanners support?
Our vulnerability scanner supports several authentication methods:
- HTTP Basic Authentication
- Login Form Authentication
- Parameter Authentication (HTTP Headers, GET-parameter, and (Session) Cookies)
How long does a vulnerability scan take?
Our quick, non-invasive vulnerability scan takes 2-5 minutes. The total invasive vulnerability scan length depends on your application's size and the number of found attack vectors. Most of our scans are done in under 4 hours, but the scan may take longer if you have an extensive application.
How can Crashtest Security help our company with compliance certifications? (Specific case of ISO 27.001)
ISO 27.001 is about implementing secure processes within the company. For example, if the company is developing web applications, it also needs a strategy to ensure secure software/web apps.
Before, during, or after the ISO Certification, measures have to be implemented to ensure that the process is enforced. This is where we can support you. With a DAST Tool like ours, you can scan your software before every release and ensure that you keep delivering secure web applications.
What does a vulnerability scan cost?
We charge by the count of scan targets rather than the number of scans (See our pricing). So you can continuously scan your web apps without worrying about a large bill or limitations. Let us know your specific security challenge, and we will find the correct pricing together. Just get in contact with us.