With the movement to increase security testing during development, also known as “Shift Left”, Dynamic Application Security Testing (DAST) is one of the tools used by organizations to improve their detection rate of vulnerabilities in custom web applications and application workloads. The goal of DAST is to reduce the amount of vulnerabilities that make it to production. Tenable.io’s Web Application Scanner (WAS) is one of the leading DAST tools available today, and provides a way to black box test your web applications by launching attacks and looking for vulnerabilities in your web applications.
K2 is a Tenable.io Technology Partner
Tenable.io is one of K2’s technology partners, and K2’s vulnerability detection can enhance the testing results generated by a Tenable.io WAS test. K2’s Security Platform is a complementary addition to Tenable.io WAS that offers 3 significant benefits to a standalone Tenable.io WAS scan.
Benefits of K2 with Tenable.io WAS
- Detect vulnerabilities missed by Tenable.io’s WAS
- For all detected vulnerabilities (by K2 and Tenable), provide additional telemetry to enable developers to remediate quickly, including proof of exploitability
- Help identify possible false positives from Tenable.io WAS
No Change to the Tenable.io WAS Testing Environment
With K2, there’s no change to the existing Tenable.io WAS testing and environment. K2’s agent runs on the application server under test, uses standard application instrumentation, like that used for Application Performance Monitoring (APM). By running on the application server and instrumenting the running code, K2 gets visibility into the running application that Tenable.io WAS lacks.
How K2 Improves Application Security
K2’s solution sits on same server as the application under test, and has visibility into the execution of the code as it’s running in memory. By residing on the server, K2 gets visibility that Tenable.io WAS lacks as an edge testing server.
With this additional visibility K2 can see vulnerabilities being triggered in code, even if responses back to Tenable,io WAS do not indicate a vulnerability. In our testing with customers we typically find additional significant vulnerabilities that would have made it to production without the addition of K2 to the testing environment.
In addition, for vulnerabilities discovered by Tenable.io WAS, K2 can provide significant additional telemetry to the details of the vulnerability being reported by Tenable.io, including exact location of the vulnerability down to the filename and line of code where the vulnerability resides. In addition K2 will provide proof of exploitability and a stack trace to help the developer remediate the vulnerability quickly.
K2 can also help identify any false positives that may have been generated by Tenable.io’s WAS scan. Because K2 resides on the application server and has additional visibility, K2’s agent can also see that no vulnerability was triggered, when Tenable.io believes there to be a vulnerability. For results matching this scenario, these vulnerabilities can be treated as false positives, to reduce the amount of time developers spend researching vulnerabilities that are more likely to be false positives.
Improve how you test your applications, include K2 Cyber Security in your Tenable.io Web Application Scanning and get results that your developers can use.
The post Enhancing Tenable.io Web Application Scanner Results appeared first on K2io.
*** This is a Security Bloggers Network syndicated blog from K2io authored by Timothy Chiu, VP of Marketing. Read the original post at: https://www.k2io.com/enhancing-tenable-io-web-application-scanner-results/