Scales to test thousands of applications simultaneously.

Securing Web Applications

More than half of all breaches involve web applications* — yet less than 10% of organizations ensure all critical applications are reviewed for security before and during production.

Clearly, organizations need a way to replace fragmented, manual pen testing with ongoing, automated scanning so they can protect their global application infrastructures — without hiring more consultants or installing more servers and scanning tools.

The leading vector for cyber-attacks

Applications have become the path of least resistance for cyber-attackers because they are:

  • Constantly exposed to the Internet and easy to probe by outside attackers using freely available tools that look for common vulnerabilities such as SQL Injection.

  • Easier to attack than traditional targets such as the network and host operating system layers which have been hardened over time. Plus, networks and operating systems are further protected by mitigating controls such as next-generation firewalls and IDS/IPS systems.

  • Driven by short development cycles that increase the probability of design and coding errors — because security is often overlooked when the key objective is rapid time-to-market.

  • Assembled from hybrid code obtained from a mix of in-house development, outsourced code, third-party libraries and open source — without visibility into which components contain critical vulnerabilities.

  • Likely to present a larger attack surface with Web 2.0 technologies that incorporate complex client-side logic such as JavaScript (AJAX) and Adobe Flash.

Discover and continuously monitor all your web applications

Veracode Web Application Scanning (WAS) offers a unified solution to find, secure, and monitor all of your web applications – not just the ones you know about. WAS includes:

  • Discovery: According to SANS, many organizations don’t even know how many applications they have in their domains. Our Discovery service addresses this visibility gap by creating a global inventory of all your public-facing web applications such as corporate sites, temporary marketing sites, related sites (.mail, .info, etc.), international domains and sites obtained via M&A. Plus, Discovery leverages our massively parallel, auto-scaling infrastructure to discover thousands of applications per day.

  • DynamicMP (Massively Parallel): Baseline your application risk by quickly identifying highly exploitable vulnerabilities such as those found in the OWASP Top 10 and CWE/SANS Top 25. Leverage our massively parallel infrastructure to test thousands of web applications simultaneously with lightweight, non-authenticated dynamic scans. Rapidly mitigate risk by shutting down temporary sites and feeding security intelligence information to Web Application Firewalls (WAFs).

  • DynamicDS (Deep Scan): Perform a comprehensive deep scan that identifies web application vulnerabilities using both authenticated and non-authenticated scans, including looking for attack vectors such as cross-site scripting (XSS), SQL injection, insufficiently protected credentials and information leakage. Also integrates security intelligence information with WAFs to enable virtual patching.

  • Virtual Scan Appliance (VSA): Perform a deep scan of applications located behind the firewall, typically in QA or staging environments, in order to find vulnerabilities prior to deployment. The VSA also helps secure internal web applications from insider attacks or attacks by malicious outsiders who gain access to insider credentials. 

  • All results are consolidated with other threat intelligence through our central cloud-based platform.

Three steps to web application security


* SOURCE Verizon Data Breach Investigations Report (DBIR)

Source: SANS