Skip to main content

Scale Service Description

Appsec Scale Service Description


Service Description

Outpost24 Appsec Scale is an automated dynamic application security testing scanner (DAST) designed to analyze web applications for vulnerabilities at volume and speed. Appsec Scale offers:

  • SAAS and on-premise deployment options
  • Ability to scan many applications at once
  • Ability to schedule application scanning to suit quiet periods
  • Designed to produce findings if the scan starts
  • Ability to scan layers 3 to 7 of the OSI model, providing a more thorough view of the application attack surface
  • Authenticated and unauthenticated scanning
  • Unlimited 24/7 support
  • Optional managed service


1 Licence & deployment model

Appsec Scale is licensed on a per application basis, and once licensed two deployment options can be utilized

  • As a SaaS service: Allowing external facing applications to be scanned from the Outscan Appsec UI. Providing an always available anywhere portal for user to access findings and perform remediation activities.
  • As a standalone internal web application scanning tool. By utilizing the Outpost24 appliance (HIAB) to act as the Appsec UI and deploying multiple separate appliances to act at the Appsec Scale scan engine, coverage of internally accessible applications can also be achieved*Business hours only on business days which are a day (other than a Saturday, Sunday or public holiday) when banks in Sweden are open for business.


Functionality

As a DAST scanner, Appsec Scale is designed to scan web applications, both external facing and internal facing, for vulnerabilities and then to provide workflow processes to allow the remediation and tracking of these vulnerabilities. This section covers the common functionality found in Appsec Scale


1 Scan Configuration

When adding applications to be scanned, the following configuration options are available

  • Scan duration
  • Schedule
  • Scan intensity
  • Fuzzing
  • Request filters
  • User agent
  • Authentication options including SSL
  • Host maps

When adding multiple applications for scanning it is also possible to group applications logically. When grouped the following options are available

  • Schedule
  • Scan intensity
  • Fuzzing options
  • User agent


2 Performing Scans

Once configured applications scanning can then be performed. Depending on how the applications have been configured the following methods to launch scans are supported

  • Manual – One or several
  • Scheduled
  • Group schedule

Scans will be performed based on the scan time allocated to each application being scanned. By default this is 15mins, which is useful for an initial discovery and test. The longer the scan duration the more time the Scan engine has available allocated to it various tasks which will result in more elements being identified. Appsec Scale is designed to scan both the application and the applications host. As such, when scans are launched, an optional Network Security (NetSec) scan can be performed to identify vulnerabilities across layers 3 to 7 of the OSI model. These results are then correlated and displayed in the Appsec UI.


3 Findings

Once scans complete, findings from both the Netsec scan engine and the Scale scan engine are correlated and displayed in the UI. Findings can be displayed on a per scan basis or as a list of all findings across all historic scans.

Additionally, for each scan, it is possible to display a list of crawled urls both in a list format and an informative Wheel, that shows the relationship between each of the urls discovered for that application. When reviewing findings, the following information is available to help understand the finding and plan remediation activities:

  • Name
  • Risk level
  • CVSS v2 score and breakdown
  • Description
  • Remediation options
  • Affected host

Optionally you can also add the following columns

  • CVSS3 scoring and breakdown
  • Exploitability (is an exploit available)

When working with findings, it is possible to filter on the following information, depending on if you are looking at a single application’s findings or all findings in the database

  • CVE
  • CVSS score
  • Name
  • Application
  • First seen date
  • Last seen date
  • Risk level

It is also possible to manually adjust the risk level of a finding. When selecting a finding you can then mark the finding

  • Risk level – change criticality or revert to the initial risk value
  • Mark as false positive
  • Accept the risk


4 Remediation

Scale allows for integration with external ticketing systems such as Service Now and Jira, allowing for a tighter integration with DevOps. Its possible to raise tickets that meet specific criteria – such as criticality, type or application name, these are then sent to the ticketing system via the RestAPI where remediation efforts can be monitored.


5 Notifications

Scale supports a robust email-based notification system. These are configured in the Outscan event notifications module and are sent to listed people or groups based on matching criteria. When creating notifications, the following events are supported:

  • Stop / Start scans
  • Findings risk level
  • Scan failure
  • Risk acceptance
  • Risk Acceptance expiration
  • Scan timeout


Scale Managed Service

Scale is offered as a managed service through Outpost24’s managed service team. Designed for organizations with limited security resource or who want outsource application testing. For more information on the service, what is included and what is excluded please refer to the specific Managed Service description document.

Looking for anything in particular?

Type your search word here