Advanced Features for Continuous Security Testing
In the project preferences, you can configure in-depth settings for further fine-tuning your security scan. Especially the automation part is where you can use Crashtest Security Suite to the fullest extent and get started on your continuous security testing journey (also referred to as "DevSecOps").
If your system is protected by authentication, you can specify the needed authentication to access the system.
If HTTP basic authentication (.htaccess protection) is enabled, configure the credentials here.
If your application has a login form, you may add credentials here. This only works for Multi-Page Applications.
This setting allows you to configure HTTP headers, GET parameters, or (session) cookies for authentication. For more information on setting up an API for scans, see API scanning.
Advanced authentication describes more advanced authentication flows such as SAML or OAuth2.
This setting is where you reap the benefits of automated pentesting - starting a security scan automatically by time or event.
Configure a daily or weekly schedule so that your scans are started automatically at a particular time, day or week.
Create a webhook so your build system can start a security scan automatically based on your needs. Following these steps, you can easily integrate it into your CI/CD pipeline.
Enter a Slack webhook so that Crashtest Security can notify you every time a scan has finished. More information on the creation of Slack webhooks can be found here.
Crawler Mode & Throttling
Adjust the crawler mode to define whether the smart crawling should try to detect forms that appear on multiple sites and only scan them once to reduce the scan duration.
You can choose between the following crawling methods:
- The Smart Crawling mode tries to detect forms that appear on multiple sites (e.g. a search form) and only scans them once to reduce the scan duration. Depending on the implementation of your web application, this might reduce the scan coverage if an identical form appears on multiple sites but is processed differently. Choose the exhaustive crawling if this is the case.
- The Exhaustive Crawling mode scans each detected form for vulnerabilities. Therefore, forms appearing on multiple sites are scanned each time individually. This might significantly increase the scan duration but can increase the detection rate.
Adjust the throttling threshold to limit the maximum number of requests per second sent to scan your server. Consider that the threshold influences the scan duration and that certain scanners require a minimum threshold.