EUVD-2019-15206

Malware in sbrugna...

InsightAppSec Advanced Authentication Settings: Token Replacement

There are many different ways to use InsightAppSec to authenticate to web apps, but sometimes you need to go deeper into the advanced settings to fully automate your logins, especially with API scanning. Today, we’ll cover one of those advanced settings: Token Replacement. InsightAppSec Token...

Troubleshooting InsightAppSec Authentication Issues

For complete visibility into the vulnerabilities in your environment, proper authentication to web apps in InsightAppSec is essential. In this article, we’ll look at issues you might encounter with macro, traffic, and selenium authentication and how to troubleshoot them. Additionally, you’ll get...

It’s the Summer of AppSec: Q2 Improvements to Our Industry-Leading DAST and WAAP

Summer is in full swing, and that means soaring temperatures, backyard grill-outs, and the latest roundup of Q2 application security improvements from Rapid7. Yes, we know you’ve been waiting for this moment with more anticipation than Season 4 of Stranger Things. So let’s start running up that...

Find, Fix, and Report ​OWASP Top 10 Vulnerabilities in InsightAppSec

With the release of the new 2021 OWASP Top 10 late last year, OWASP made some fundamental and impactful changes to its ubiquitous reference framework. We published a high-level breakdown of the changes, followed by some deep dives into specific types of threats that made the new Top 10. But the...

Let's Dance: InsightAppSec and tCell Bring New DevSecOps Improvements in Q1

To the left, to the left, to the right, right — the CI/CD Pipeline is on the move. DevSecOps is all about adding security across the application lifecycle. A popular approach to application security is to shift left, which means moving security earlier in the software development lifecycle SDLC...

7 Rapid Questions: Meet Adrian Stewart, Aspiring Pilot Turned Product Manager

Welcome back to 7 Rapid Questions, our blog series where we ask passionate leaders at Rapid7 how they’re challenging convention and making an impact. In this installment, we talk to Adrian Stewart, a product manager working on InsightAppSec, Rapid7’s dynamic application security testing DAST tool...

Securing Your Applications Against Spring4Shell (CVE-2022-22965)

The warm weather is starting to roll in, the birds are chirping, and Spring... well, Spring4Shell is making a timely entrance. If you’re still recovering from Log4Shell, we’re here to tell you you're not alone. While discovery and research of CVE-2022-22965 is evolving, Rapid7 is committed to...

Spring4Shell: Zero-Day Vulnerability in Spring Framework (CVE-2022-22965)

Rapid7 has completed remediating the instances of Spring4Shell CVE-2022-22965 and Spring Cloud CVE-2022-22963 vulnerabilities that we found on our internet-facing services and systems. For further information and updates about our internal response to Spring4Shell, please see our post here. If yo...

InsightAppSec GitHub Integration Keeps Risky Code From Reaching Production

We've all been there. The software development life cycle SDLC is moving at a mile a minute. Developers are writing code, updating features, and all the while attempting to keep everything introduced into production as safe and secure as possible. GitHub Actions are essential to automation and...

How InsightAppSec Detects Log4Shell: Your Questions Answered

If you’re reading this, that means you survived the year 2021, so congratulations! For everyone in the software industry, and especially those in cybersecurity, the past 12 months probably felt like 12 rounds in the ring. Remember the Solarwinds attack and the resulting scramble to mitigate suppl...

A December to Remember — Or, How We Improved InsightAppSec in Q4 in the Midst of Log4Shell

Ho, ho, holy cow — what a wild way to wrap up the year that was. Thousands of flights were cancelled during Christmas week, nearly every holiday party became a super-spreader event, and we lost a legend in Betty White. In our neck of the woods, Log4Shell has been dominating the conversation for...

Test for Log4Shell With InsightAppSec Using New Functionality

We can all agree at this point that the Log4Shell vulnerability CVE-2021-44228 can rightfully be categorized as a celebrity vulnerability. Security teams have been working around the clock investigating whether they have instances of Log4j in their environment. You are likely very familiar with...

A Dream Team-Up: Integrate InsightAppSec With ServiceNow ITSM

At Rapid7, we are constantly improving InsightAppSec and tCell with the goal of making our customers' lives easier. Over the last few months alone, we've improved the way your team structures permissions, integrated with Microsoft's .Net 6.0, and automated authentication to make scan after scan...

OWASP Top 10 Deep Dive: Identification and Authentication Failures

In the 2021 edition of the OWASP top 10 list, Broken Authentication was changed to Identification and Authentication Failures. This term bundles in a number of existing items like cryptography failures, session fixation, default login credentials, and brute-forcing access. Additionally, this...

Solving the Access Goldilocks Problem: RBAC for InsightAppSec Is Here

We're all familiar with the story of Goldilocks and the Three Bears. Goldilocks starts a new job as a security specialist on the security team at Three Bears' Porridge, Inc. and is given access to their application security platform. At first, the access she's given is far too broad. It causes...

This Was the Summer of AppSec: All the Improvements We Made in Q3

Summer has come to an end. The backyard barbecues are behind us, the hot dogs have all been eaten, and we're all gearing up for some awesome autumn leaf peeping. But before we fall into another season see what we did there?, we wanted to take a moment to look back on all of the improvements we've...

Login Authentication Goes Automated With New InsightAppSec Improvements

Move over, macros — automated login is here. At Rapid7, we know the most powerful tools in your security portfolio are the ones that help you understand your risks quickly. With our new automated login for InsightAppSec, you can access and scan even the most complex, modern applications quickly a...

3 Steps to Integrate Rapid7 Products Into the DevSecOps Cycle

DevSecOps is the concept and practice of integrating security into the DevOps cycle. The idea is to bring the different phases of security into the DevOps model and try to automate the entire process, so security is integrated directly into the initial application builds. In this post, we’ll take...

What’s New in InsightAppSec and tCell: Q2 2021 in Review

If there’s a theme to InsightAppSec and tCell updates and improvements in the second quarter, it would be “save time by building it into the process.” Building a more efficient process is key in further securing web applications. Can you get it done faster from home? Or is the quickest way to the...