Digitization is a topic that has been discussed for some time. It’s no wonder, of course, as everything is becoming more mobile, wireless, and voice-controlled. As a result, the use of web applications and APIs have long been common practice among enterprises. But, unfortunately, the personal and company data stored in these applications provides a vast attack surface for cyber criminals. That’s why it’s vital for companies that work with sensitive data to take appropriate measures that protect that data.
That’s why Crashtest Security has developed a vulnerability scanner that is particularly easy to use. This automated vulnerability scanner quickly identifies vulnerabilities from the OWASP Top Ten Web Application Security Risks, providing an excellent automated vulnerability assessment solution for agile developers or DevSecOps teams. Those tools are based on intelligent vulnerability detection logic and thus contribute to better protection against cyberattacks.
Co-Founder at Crashtest Security
To talk about the current cyber threats and get to know the innovative scanner SourceForge recently met with the co-founder of Crashtest Security, Felix Brombacher. In the process, Felix also shares some tips and tricks on how to use the scanner best.
Before we start, please give us some hard facts about Crashtest Security: when was the startup founded, and who are the people behind the company?
The founding team consisted of four people and we’ve known each other for a long time. The idea for Crashtest Security was born during computer science studies in Munich. The trigger for the foundation was a seminar called “Secure Coding” in which all participants developed a banking app that was later hacked. To secure our app, we used the OWASP Testing Guide, and were looking for an easy-to-use security scanner to simplify the security testing of our app. However, this didn’t exist anywhere, as only costly enterprise solutions were available on the market at that time. So we set the goal to build such an affordable and easy to use scanner. Of the original founding members René and I remained and our team is growing steadily.
Do you exclusively serve specific industries, and can you tell us who your target groups are?
Our target groups are all developers of small and medium-sized enterprises (SME) SaaS or companies with digitized products who want to protect their data and prevent attacks. So that means DevOps, DevSecOps, and IT Managers. In short, modern companies that are building digital products.
What exactly is an Automated Vulnerability Scanner, how does it work, and why is it so important?
To detect potential points of attack in a web application or API, it can be examined for vulnerabilities using a scanner. This identifies security vulnerabilities through crawling the web app to identify attack vectors which are then exploited by the security scanners. Afterwards a report on all executed scans, detected vulnerabilities and their criticality (based on a CVSS Scoring system) is generated. In addition, the vulnerability scanner provides remediation advice on how to effectively fix the detected vulnerabilities. Those scans are essential to identify vulnerabilities that hackers could use to compromise systems and data. In the past these scans were performed manually by the internal IT department or external security consultants, a very labour intensive process. In today’s fast changing development work, we need to automate such tasks so that we can release them as quickly and securely as possible. Our Vulnerability Scanner enables developers exactly: test automated and release secure software, while also making the process more efficient.
What are the most significant or most common cybersecurity vulnerabilities?
These days, there are many cyber threats; therefore, we’re referring to the OWASP Top 10, which is a list of the most common and dangerous cyber threats. These risks include Broken Access Control, Injection Attacks, Identification and Authentication Failures, and more. Our automated scanner is designed to detect and protect web apps exactly against these risks. Since one of our latest releases, our customers also have the option to check their Web App or API for Privilege Escalation in addition to all our existing features like scanning for Cross Site Scripting (XSS), SQL Injections & Co.
As the number of active web apps increases, so do cyber attacks. As a cybersecurity expert, what practices and measures should enterprises consider to prevent and reduce the risk of cyber attacks?
Scan, scan, scan! Whether you do this internally using your own security experts or use an automated tool like ours, it is primarily irrelevant. What is essential is that the web apps and APIs are regularly checked for risks by experts and software. In addition, we recommend paying attention to security during the development process, as this saves a lot of time and costs down the road as fixing vulnerabilities early on is much cheaper. Further, one should always back up one’s data. One should also keep up to date if and what new threats there are in cybersecurity. The best way to do that is to follow blogs or sites that provide detailed information about them. Finally, of course, the rule for using very strong passwords and 2-factor authentication still applies. This increases security and is easy to manage with password management tools.
How do you assess the further development in the IT market: will we all become “cloud natives” in multi-cloud environments in the future? And what impact will this have in terms of practical measures to defend against cyberattacks?
The trend is moving toward cloud services. Most companies will not be able to escape this trend. This naturally increases the risk of cyberattacks and a company’s attack surface. In addition to agile development, companies also need an agile security strategy because cybersecurity will always be a race against attackers.
Tell us more about the Crashtest Security Suite. What are its key features and capabilities? How does it compare to other cybersecurity platforms available in the market?
The intuitive Crashtest Security Suite is an agile pentesting software and is aligned with the OWASP Top 10. With our Crashtest Security Suite, customers can crawl and test JavaScript-based front ends entirely automatically. Other providers cannot do this or require additional click models, for example, which have to be laboriously recorded. In addition, our software integrates particularly well into the agile development cycle and thus enables the implementation of an agile security strategy. Our recently launched Scanner for ‘Privilege Escalation’ brings a lot of additional value to our automated vulnerability testing tool. Finally, the simple user interface allows holistic security reportings, visualizations of the scan history of a software project, and exports of scan results.
The automation of penetration testing creates the possibility to test continuously by starting scans at specific time intervals or via webhook from a CI/CD toolchain. A free wiki integrated into the application supports the developer in fixing found vulnerabilities. The Crashtest Security Suite accompanies companies in DevSecOps initiatives on the way to an agile security strategy by automatically detecting vulnerabilities and supporting developers in fixing them. Concerning the requirement for GDPR compliance, we can also claim another decisive advantage: We are the only provider operating from Germany. Our products are entirely “made & hosted in Germany,” which decision-makers often seek, especially in the European market.
Looking into the future, what major milestones and functionalities can we still expect from you? What are you currently working on?
We’re currently working on a local agent to enable scanning of non-publicly accessible web apps and expanding our scan capabilities to GraphQL APIs. In the long term, we plan to make our scanner even smarter and more comparable to a manual pentest. This includes major improvements to the privilege escalation scanner, using intelligent algorithms to simulate complex attack scenarios and exploit vulnerabilities in the applications business logic, while keeping the scanner as easy to use as it currently is.
About Crashtest Security
Crashtest Security is a Munich-based startup that was founded in 2017. It is an innovator within security testing for Web Applications and APIs. It addresses their Crashtest Suite to developers and IT professionals in Small and medium-sized enterprises (SME) SaaS or companies with digitized products and allows scanning these applications during development.
Related Categories