Crashtest Security FAQs
This section provides answers to general questions you might have when first using Crashtest Security Suite.
How do I scan my web application for security vulnerabilities?
Scanning your web applications is super easy with the Crashtest Security Suite. Just set up your project and get results within 2 minutes. See the Crashtest Security Quickstart.
How can I scan an API for security vulnerabilities?
With APIs playing a more critical role in modern technology, it is essential to scan web applications and APIs for security vulnerabilities. This enables you to scan the backend and communication for mobile apps, such as Apple or Android or HTTP-based IoT devices.
All you need to scan your API is a documentation file, such as Swagger v2 or OpenAPI v3 - JSON or YAML file. The documentation needs to be accessible to the security scanner. To achieve this, you can host the documentation somewhere or sending the documentation through the API when starting a scan. Instead of crawling your web application for attack vectors, Crashtest Security gets the attack vectors from your API documentation.
How do I test my Single Page application for security vulnerabilities?
Setting up a scan for your Single Page Application (SPA) is easy. You have to set up your project. After choosing Web Application for your Scan Target Type, select JavaScript Application. For best results, add authentication credentials to your scan. See user guide.
How do I prepare my application for a vulnerability scan?
For a vulnerability scan, you should set up your application in such a way that the scan does not interrupt your service, and you can go back to a working state in case of any issues during the scan:
- Ensure that you have permission to conduct a security scan against your application. Talk to all people concerned with the application, such as developers, product owners, or the infrastructure team.
- Inform the monitoring team about the security scan so that no real alert is fired when the security scan starts.
- When doing invasive security scans such as the Crashtest Security Full Scan, scan your application on a test or staging system instead of the production system.
- Do a backup before the vulnerability scan so that you can roll back the system to a working state if needed.
- Create a Test User for the vulnerability scan so that you separate the test data of the vulnerability scan and the other (test) data.
What login methods do vulnerability scanners support?
The vulnerability scanner supports several authentication methods:
- HTTP Basic Authentication
- Login Form Authentication
- Parameter Authentication (HTTP Headers, GET-parameter, and (Session) Cookies)
How long does a vulnerability scan take?
The quick, non-invasive vulnerability scan takes 2-5 minutes. The total invasive vulnerability scan length depends on the size of your application size and the number of found attack vectors. Most of the scans are done in under 4 hours, but the scan might take longer if you have an extensive application.
How can Crashtest Security help your company with compliance certifications? (Specific case of ISO 27.001)
ISO 27.001 is about implementing secure processes within the company. For example, if the company is developing web applications, it also needs a strategy to ensure secure software/web apps.
Before, during, or after the ISO Certification, measures have to be implemented to ensure that the process is enforced. You can use Crashtest Security to scan your software before every release and ensure that you keep delivering secure web applications.