Appsec Scale Service Description
Outpost24 Scale is an automated dynamic application security testing scanner (DAST) designed to analyze web applications for vulnerabilities at volume and speed.Scale offers:
- SAAS and on-premisedeployment options
- Ability to scan many applications at once
- Ability to schedule application scanning to suit quiet periods
- Designed to produce findings if the scan starts
- Ability to scan layers 3 to 7 of the OSI model, providing a more thorough view of the application attack surface
- Authenticated and unauthenticated scanning
- Unlimited 24/7 support
- Optional managed service
1 Licence & deployment model
Scale is licensed on a per application basis, and oncelicensed two deployment options can be utilized
- As a SaaS service: Allowing external facing applications to be scanned from the Outpost24 portalProviding an always available anywhere portal for user to access findings and perform remediation activities.
- As a standalone internal web application scanning tool. By utilizing the Outpost24 appliance (HIAB)* to act as the Outpost24 Portaland deploying multiple separate appliances to act at the Scale scan engine, coverage of internally accessible applications can also be achieved
*See the HIAB service description document for more information on deployment options
As a DAST scanner, Scale is designed to scan web applications, both external facing and internal facing, for vulnerabilitiesand then to provide workflow processes to allow the remediation and tracking of these vulnerabilities. This section covers the commonfunctionalityfound in Scale
1 Scan Configuration
When adding applications to be scanned, thefollowing configuration options are available
- Scan duration
- Scan intensity
- Request filters
- User agent
- Authentication options including SSL& Selenium side script support
- Host maps
When adding multiple applications for scanning it is also possible to group applications logically. When grouped the following options are available
- Scan intensity
- Fuzzing options
- User agent
2 Performing Scans
Once configured applications scanning can then be performed. Depending on how the applications have been configured the following methods to launch scans are supported
- Manual –One or several
- Group schedule
Scans will be performed based on the scan time allocated to each application being scanned. By default,this is 15mins, which is useful for an initial discovery and test. The longer the scan duration the more time the scan engine has availableto allocate it various tasks which will result inincreased overall coverage of the application.
Appsec Scale is designed to scan both the application and the applications host. As such, when scans are launched, an optional Network Security (NetSec) scan can be performed to identify vulnerabilities across layers 3 to 7 of the OSI model.
These results are then correlated and displayed in the Outpost24 Portal
Once scans complete, findings from both the Netsec scan engine and the Scale scan engine are correlated and displayed in the Outpost24 Portal. Findings can be displayed based on vhost, IP address ortags.
Additionally,for each scan, it is possible to display a list of crawled urls both in a list format and an informative wheel, that shows the relationshipbetween each of the urls discovered for that application.
When reviewing findings,the following information is available to help understand the finding and plan remediation activities:
- Risk level
- CVSS v2 score and breakdown
- Remediation options
- Affected host
Optionally you can also add the following columns
- CVSS3 scoring and breakdown
- Exploitability (is an exploit available)
When working with findings, it is possible to filter on the following information, depending on if you are looking at a single application’s findings or all findings in the database
- CVSS score
- First seendate
- Last seendate
- Risk level
It is also possible to manually adjust the risk level of a finding. When selecting a finding you can then mark the finding
- Risk level –change criticality or revertto the initial risk value
- Mark as false positive
- Accept the risk
Scale allows for integration with external ticketing systems such as Service Now and Jira, allowing for a tighter integration with DevOps.Itis possible to raise tickets that meet specific criteria –such as criticality, type or application name, these are then sent to the ticketing system via the RestAPI where remediation efforts can be monitored.
Scale provides organizationswith the ability to create on demandor scheduled reports that can be made available immediately throughthe Portal, emailed to portal users or external email addresses,or sent to a report library where reports can be downloaded by anyone with the relevant permissions.
Reports can be produced on
- Per asset basis (Vhost, Ip address)
- Specific tags
- Specific timeframes in conjunction with the above
Report templates include:
And can be produced in the following formats
6 Role based access control
Scale supports a robust role based access control (RBAC) system based on the use of tags. For each user after the master user, the following granularity can be applied
Provides unlimited access to all assets, configurations, schedules and findings for that organization.
By utilizing tags, access to specific assets, configurations, schedules, findings, reports can be controlled, allowing organisations to ensure only the relevant employees can access specific information.
Removes access to all assets in the organization based on that specific source. (Scale, Cloudsec, Container etc)
In addition to controlling what a user can see, an organisations is also able to control how a user can interact. The options are
Remove that particular function from the user’s permissions. For instance, the ability to run scans can be removed for specific types of users
- Read access
Read only access for specific functions. For instance, removing the ability for a user to add or delete assets.
- View and manage
fully control that function.
These options can be set on twelve different functions providing over 157k access permutations with new options being added on a regular basis.
Scale Managed Service
Scale is offered as a managed service through Outpost24’s managed service team. Designed for organizations with limited security resource or who want outsource application testing.
For more information on the service, what is included and what is excluded please refer to the specific Managed Service description document.