General scanner questions answered
This section describes the technical product terminology.
What is the Difference Between Single Page and Multipage Applications?
Multipage applications (MPAs) use a standard HTML structure for their content. They consist of multiple individual pages loaded from the server when needed. Famous examples include applications created in PHP and Python with frameworks such as Laravel or Django.
Single Page Applications (SPAs) use AJAX and HTML5 to build responsive apps. These apps send most of their content with the initial request and respond to most user input on the client-side without loading additional content from the server. Typically, JavaScript frameworks such as React, Angular, Vue, or Ember are responsible for handling the heavy lifting on the client-side for a single-page app.
What is the challenge in testing Single Page applications compared to Multipage applications?
Due to their responsive nature, Single Page Applications (SPAs) use asynchronous API requests for backend communication and manipulate the DOM tree to show information in real-time. Traditional crawlers have problems understanding all the JavaScript used in such cases and struggle to find ways to navigate through the application. Other security scanners use manual click-throughs as a base for automated vulnerability scanners, which can be time-consuming to set up and inflexible to a constantly changing app.
The Crashtest Security SPA crawler is the only software on the market that allows you to scan SPAs without click-through models. This enables a much faster setup, better adaption to changes, and takes away much previous effort to scan SPAs.
Are Multipage applications more secure than Single Page applications?
The answer to this question depends on the individual application and the carefulness and security measures that a developer takes. For example, one potential concern for Single Page applications is the exposure of sensitive data.
What is vulnerability scanning?
Vulnerability scanning allows the user to scan software for security vulnerabilities. This can happen on an infrastructure (i.e., network or physical) or application level. Crashtest Security allows its users to scan applications in an automated, agile manner with easy integration in your agile development process.
The manual approach to security testing is called penetration testing. A person performs this service, which takes between 5 and 20 days, depending on the scope of the test. Manual penetration tests often require a specific setup for each test and are incompatible with agile software release processes. However, manual pentesters can cover individual application-specific flaws and test for more OWASP categories, such as Broken Access Control. Insufficient Logging and Monitoring, however, require an internal analysis of the processes and tools.
What does a vulnerability scanner do?
A vulnerability scanner identifies possible attack vectors in the web application or API. The vulnerability scanner then checks whether these attack vectors can be exploited.
Vulnerability scanning can either happen on a non-invasive or invasive basis. It is recommended to only run invasive scans in non-production environments, not to harm live applications. For a complete list of scanners, see list of current scanners.
Why do I need vulnerability scanning?
Vulnerability scanning provides several benefits:
- Ease of use: vulnerability scanners make it simple to set up a test without being a security expert.
- Results within seconds: As the scanners provide results in real-time and operate with parallel requests, the first results are available within seconds of the start.
- Integration in CI/CD-toolchains: due to the frequency of releases in the agile development processes, ensuring every release is tested for security vulnerabilities is vital. This is only possible when security scans can be triggered and evaluated automatically.
- No repeat setup effort: unlike manual security testing, vulnerability scan setup can be configured once and automatically performed on the current software version.
Is it difficult to set up a vulnerability scan?
No. You can set up a project within 2 minutes and get results within 5 minutes. In addition to the first security vulnerabilities, you also receive remediation advice for any found issues.