Enhancing Web Application Scanner Results

With the movement to increase security testing during development, also known as “Shift Left”, Dynamic Application Security Testing (DAST) is one of the tools used by organizations to improve their detection rate of vulnerabilities in custom web applications and application workloads.  The goal of DAST is to reduce the amount of vulnerabilities that make it to production.’s Web Application Scanner (WAS) is one of the leading DAST tools available today, and provides a way to black box test your web applications by launching attacks and looking for vulnerabilities in your web applications.

K2 is a Technology Partner is one of K2’s technology partners, and K2’s vulnerability detection can enhance the testing results generated by a WAS test.  K2’s Security Platform is a complementary addition to WAS that offers 3 significant benefits to a standalone WAS scan.

Benefits of K2 with WAS

  • Detect vulnerabilities missed by’s WAS
  • For all detected vulnerabilities (by K2 and Tenable), provide additional telemetry to enable developers to remediate quickly, including proof of exploitability
  • Help identify possible false positives from WAS

No Change to the WAS Testing Environment

With K2, there’s no change to the existing WAS testing and environment.  K2’s agent runs on the application server under test, uses standard application instrumentation, like that used for Application Performance Monitoring (APM). By running on the application server and instrumenting the running code, K2 gets visibility into the running application that WAS lacks.

How K2 Improves Application Security

K2’s solution sits on same server as the application under test, and has visibility into the execution of the code as it’s running in memory.  By residing on the server, K2 gets visibility that WAS lacks as an edge testing server.

With this additional visibility K2 can see vulnerabilities being triggered in code, even if responses back to Tenable,io WAS do not indicate a vulnerability.  In our testing with customers we typically find additional significant vulnerabilities that would have made it to production without the addition of K2 to the testing environment.

In addition, for vulnerabilities discovered by WAS, K2 can provide significant additional telemetry to the details of the vulnerability being reported by, including exact location of the vulnerability down to the filename and line of code where the vulnerability resides.  In addition K2 will provide proof of exploitability and a stack trace to help the developer remediate the vulnerability quickly.

K2 can also help identify any false positives that may have been generated by’s WAS scan.  Because K2 resides on the application server and has additional visibility, K2’s agent can also see that no vulnerability was triggered, when believes there to be a vulnerability.  For results matching this scenario, these vulnerabilities can be treated as false positives, to reduce the amount of time developers spend researching vulnerabilities that are more likely to be false positives.

Improve how you test your applications, include K2 Cyber Security in your Web Application Scanning and get results that your developers can use.

Find out more about K2 today by requesting a demo, or get your free trial.



The post Enhancing Web Application Scanner Results appeared first on K2io.

*** This is a Security Bloggers Network syndicated blog from K2io authored by Timothy Chiu, VP of Marketing. Read the original post at: