Edgescan Weasel - Our new Web Security Scanning Tech

By -

 

Web Application Scanning...Evolution

For the past 24 months Edgescan has been developing a new Web Scanning engine, namely "Weasel". Its a core component to the edgescan SaaS web security aspect of the service. We built it for many reasons:

  • Faster Assessment speed.
  • Increased coverage.
  • Better Accuracy.
  • More user control and configuration.
  • Improved API support and navigation.
  • More metrics.
  • Javascript/Single-Page-Application (SPA) improvement.
  • Improved content discovery.
  • Dynamic Learning

A cool thing about weasel is it has a dedicated team that not only consists of developers but also analysts and researchers. This was exciting as some of our penetration testers trained and pushed the engine and our developers implement ongoing changes. Developing a web scanning engine is certainly a treadmill and a never-ending process. Change is good, and to change often is to live well.

Dynamic Learning - Once aspect that is exciting for us is the idea of continuously integrated test cases; ensuring as new vulnerabilities are discovered they are included in our scanning without the need for client interaction or lengthy delays between version releases, while also ensuring known vulnerability test cases are up to date proof of concept's as research is discovered. - Keeping pace with change.

Scalability - In some cases clients have hundreds or thousands of web-layer targets. Weasel provides the ability to deliver a policy based service per application ensuring bandwidth throttling, schedule window scanning while also delivering both finesse and precision ensuring high quality advanced proof of concepts reflecting in cleaner intel delivered to the client.

Advanced automated content discovery - SPA indexing, development, configuration, backup file endpoint discovery. Time after time with internal and external testing we have discovered sensitive content leading to critical risk vulnerabilities which is continuously added to our checks resulting in automated detection.

Better Accuracy - Our engine uses both dynamic and static vectors to find vulnerabilities. We've worked hard on defining powerful testing vectors in order to test for vulnerabilities more efficiently but also to delivery coverage in a shorter timeframe. Of course, as ever, all findings are validated via the Edgescan core technology and expert validation in addition if required also.

API discovery and assessment: Weasel automatically searches for API manifest/Swagger files in order to detect unknown API's. API detection is a little more involved than just swagger file detection as is discussed here but once a manifest is discovered edgescan parses the file to understand how to use and navigate the API and hence test it.

With the introduction of our new Weasel scanning engine coupled with Edgescans fullstack coverage were pretty excited that we are leading the market in relation to continuous vulnerability intelligence. 

There is lots more to discuss at a later date.....

Edgescan Review:

https://www.itsecurityguru.org/2021/04/21/product-review-edgescan-makes-fullstack-vulnerability-management-easy/





Comments

Post a Comment

Popular posts from this blog

By -
Image
The HSE Data Breach and the State of Irish Cyber Security Many years ago, shortly after I founded the Irish chapter of OWASP ( http://www.owasp.org ) (in 2007??) we were delivering free application and software development classes to anyone who wanted them. It was a local low key affair but every class we delivered was "sold out". We have 60-80 folks mostly developers willing to spend 4-5 hours on learning the fundamentals of secure application development and testing. I suppose we felt cyber security was an important issue because that's what we did. At the time many folks in business felt cyber security was an overhead or a "tax" and did not give it much time. A few years later (late 2010) when the the foundation of the NCSC (National Cyber Security Centre) was announced, a few of us (local OWASP Ireland leaders) wrote a number of emails to the Irish government offering free cyber security training. As we were working for a non profit (501.3c) charity (OWA...
Read more

Edgescan and Huawei - Cybersecurity - Irish Times Article and Panel Discussion

By -
Image
I recently was interviewed by the Irish times on why is everything getting hacked and how can we change the game.... https://www.irishtimes.com/special-reports/cybersecurity-focus/criminals-have-an-inbuilt-advantage-in-the-great-cyber-arms-race-1.4651078  A recording of the Panel with Andy Purdy, CSO of Huawei North America. https://www.youtube.com/watch?v=cQJ1uSQ4IEk&t=33s Both are decent and worth a listen.
Read more

How Simple can it be.....XSS Prevention....

By -
Cross Site Scripting is sill a very common web vulnerability. Generally it is used to attack clients/users. It can be used for malware upload, botnet hooking, keylogging, a payload delivery system for clickjacking and CSRF attacks and much much more, all for 6 easy payments of $9.99...sorry got carried away there :) But is is easily preventable. You dont even have to know what XSS (type 0, type 1, type 2, DOM, Stored, Reflected) is to prevent it. One pretty simple way to prevent XSS is to use the OWASP ESAPI (Enterprise Security API). A very easy tool to use/invoke. It's also managed and attended to by Chris Schmidt ....A great guy... Regardless of what it does....if there was a mandate to use it on all redisplayed external input a site could become virtually XSS free!! (all for 6 easy payments of......). It's easy to deploy.... 1. Include in JSP (Java version) 2. Invoke in JSP 3. Job done!!! We include it by <%@ page import="org.owasp.esapi.ESAPI...
Read more