Our very own Shawn Simpson, Product Manager for Fortify DAST, recently appeared in an interview with Suphi Cankurt, founder of AppSec Santa. They discussed the importance of dynamic application security testing (DAST) and what makes Fortify WebInspect an industry-leading DAST solution. Here’s a short recap of their discussion.
Suphi Cankurt: Shawn, can you help us secure our applications?
Shawn Simpson: I think we can! You know, DAST is a really important part of that. While there's a lot of ways to take a look at the application, I think it’s important to get that black box view, really that outside-in view, to actually exploit some of the vulnerabilities in the app before somebody else does. i think it's a really important part of that security and depth that we provide.
SC: So what is WebInspect, who is using it, and why should we use it?
SS: So WebInspect at its core is a DAST tool, so dynamic application security testing is what that stands for, and it came from the idea of a set of tools to really help pen testers. When a pen tester comes on site they're looking from that outside-in view, but there's a lot of the work that could be automated.
So the founding idea of Webinspect was “How do we help pen testers in their job automate some of the work that can be done?” And that was a great idea to start with, but it's really grown over the years. DAST tooling is a very mature product at this point and it's been around for decades. So WebInspect is really the core piece of that—we use it not only as a standalone tool, but there’s also the engine and some of our other offerings.
We have an enterprise piece that we use for automation, we have Fortify on Demand and our Fortify Hosted for cloud service. Then there’s ScanCentral DAST, that's a piece that it fits in with our software security center, which is really our dashboard. It is a tool for triaging vulnerabilities, getting reporting, getting trending things like that.
The ScanCentral DAST part of it is a plug-in that fits in with that enterprise dashboard and allows automation of DAST scans along with SAST scans and any of our other pieces. It’s a centralized place to triage things, not really just to look at just that single scan. WebInspect is great at getting that deep dive into a single scan. ScanCentral DAST and Software Security Center (SSC), they really give you that that broader view of how an application is trending over time and how your portfolios are looking.
SC: Yeah and you mentioned that it’s like a pen testing tool, but I know that many enterprises using WebInspect are scanning hundreds of applications. So as the industry moves forward, even small and medium businesses now have like over 20 applications. So with the traditional pen testing approach, you have two websites to dig in and you continuously check the same stuff. But now the game has changed, and every company now has 50 applications, 200 APIs, and they’re asking “how are we going to scan that?”
SS: Absolutely yeah. You know, what I hear a lot is, “once you hit a certain size, every company is a software company.” It's just the modern reality. Every company has many apps, no matter what their primary business is, and they all need to be secured.
So regardless of the scale they need, that's what ScanCentral DAST and SSC are really there for. It could just be a single WebInspect sensor that's automated just to make it so somebody doesn't have to sit there and babysit it and they can get the results. We have customers scanning hundreds of apps on a regular cadence, maybe every nightly build, things like that.
So it fits really well in the different use cases. There’s the modern DevOps where it is on that nightly build or check-in, then the more traditional sort of gated models were everyone's gotta scan before a release or something like that. We try to accommodate all of those because you have the very mature software companies who think “agile.” They think “modern DevOps.” They need a certain set of tooling and a certain set of support.
Then you have someone who may be supporting brick and mortar stores out there, or they have a factory somewhere. But they still have apps! They don't have mature DevOps, but they they need to secure stuff so we try to accommodate them as well.
SC: So what can we expect from the next release?
SS: We’re doing a lot of things around APIs. We already have a pretty complete story with APIs—we have an integration with Postman, it's kind of an industry standard at this point. But we're looking at really getting that complete API solution, so things like API discovery I think is a really important one in there. As I said, everyone's got APIs whether they know it or not. They’re what's gluing the applications together and sometimes you've got the task of “I've got to scan this app,” but it's probably not a single thing it's really a collection of things.
So we've got some really cool things coming where we can discover those APIs mid-scan through swagger definition picking up on, you know, a GraphQL query and figuring out what all is there and really trying to simplify that so the person running the scan doesn't have to be the expert on the application. The industry term is “shift left” you know? Allow the small security team to manage this stuff and move more and more of the kicking off the scans to the developers and the QA, but they don't they don't really want to spend all that time doing it. So we want to do as much of it for them as we can, and the QPI work is the big one for that. But yeah APIs and then Linux compatibility (later this year) are kind of the big things we're working on this year.
SC: Okay sounds great. Yeah thank you for being here today and answering all these questions. I'm sure people enjoyed it and I enjoyed it as well. Thank you very much!
SS: Thank you as well!
Watch the full AppSec Santa episode with Shawn Simpson.
More About Fortify
CyberRes Fortify delivers software resilience for modern development with a holistic, inclusive, and extensible application security platform from a trusted partner that supports today’s enterprises. This comprehensive suite of products brings holistic security and visibility to developers, AppSec professionals and key stakeholders with automated integrations for any tool, anywhere in the SDLC and a robust set of capabilities available on premise, cloud-hosted, or as a managed service.
Join our Fortify Community. Have technical questions about Application Security products? Visit the Fortify discussion forum. Keep up with the latest Tips & Info about Application Security. We’d love to hear your thoughts on this blog. Log in or register to comment below.