Getting Started with AppSpider Enterprise

While today’s malicious attackers pursue a variety of goals, they share a preferred channel of attack—the millions of custom web, mobile, and cloud applications companies deploy to serve their customers. AppSpider dynamically assesses these applications for vulnerabilities across all modern technologies, provides tools that speed remediation, and monitors applications for changes. AppSpider automatically finds vulnerabilities across a wide range of applications. It includes unique capabilities and integrations that enable teams to automate more of the security testing program across the entire software development lifecycle (SDLC), from creation through production.

Coverage is the first step to scanner accuracy. Scanners were originally built with a crawl and attack architecture, but crawling doesn’t work for web services and other dynamic technologies. AppSpider can still crawl traditional name=value pair formats like HTML, but it also has a Universal Translator that can interpret the new technologies being used in today’s web and mobile applications (AJAX, GWT, REST, JSON, etc.).

With AppSpider, you can:

  • Close the coverage gap with our Universal Translator
  • Intelligently simulate real world attacks
  • Continuously monitor your applications
  • Stay authenticated for deep assessment

Get Started with AppSpider Enterprise

You can download the Enterprise User here: https://download.appspidered.rapid7.com/docs/AppSpider_Enterprise_User_Guide.pdf

You can download the Getting Started Guide here: https://download.appspidered.rapid7.com/docs/AppSpider_Enterprise_Getting_Started_Guide.pdf

Before You Begin

AppSpider Enterprise allows you to manage and coordinate multiple AppSpider installations across your organization so that you can scale your application security programs to handle thousands of scans at the same time. The enterprise version of AppSpider allows you to manage scan configurations and schedules from a centralized location, identify and prioritize high risk vulnerabilities, and easily share the results with members of your organization.

Installing AppSpider Enterprise is a multi-step process that requires:

  • Configuring Internet Information Services (IIS).
  • Installing AppSpider Enterprise.
  • Adding an engine by installing AppSpider Pro.
  • Configuring a scan engine for AppSpider Enterprise.

System Requirements

In order to set up and operate AppSpider Enterprise, your system must meet the following minimum requirements.

Database Server Requirements

If you intend to use an existing database, you'll need the connection information and the table name for the database you want to use. You'll need to make sure that you have administrator privileges for the database, which allows you to modify columns and tables in the database.

If you don't have a database readily available to use, you'll need to set one up one of the following databases:

  • Microsoft SQL Server 2008 Family or Express
  • Microsoft SQL Server 2012 Family or Express
  • Microsoft SQL Server Management Studio

AppSpider Enterprise Licensing

The enterprise version of AppSpider does not require any licensing, but you must have at least one license for AppSpider Pro in order to use it. When you purchased AppSpider Enterprise, you automatically received a license for one AppSpider engine. If you need help with licensing, please contact our support team.

Prepare Your Machine

Before you install AppSpider Enterprise, please make sure that you have set up the following on your Windows system:

  • A database server, such as MSSQL Server 2008 or 2012
  • A web server, such as Microsoft Internet Information Services (IIS) 6.0

You'll also need to download:

  • The AppSpider Enterprise installer - A link to the AppSpider Enterprise installer is sent to you from Rapid7. If you have not received a link to the installer, please contact our support team.
  • The AppSpider Pro installer - The installer can be downloaded from the following location: https://download2.rapid7.com/download/AppSpider/AppSpiderSetup.exe

Deployment Overview

  1. Install Internet Information Services (IIS)
  • Configure HTTPS Certifications through IIS
  1. Install AppSpider Enterprise
  2. Log into AppSpider Enterprise for the first time
  3. Install the AppSpider Engine (AppSpider Pro)
  4. Add additional Engines
  5. Add a Scan Engine

For details instructions, Installing AppSpider Enterprise

What’s Next?

Once you have successfully completed the installation process, there are several major options to help you start using AppSpider.

  • Configure and Run a Scan
  • View Scan Results
  • Utilize Additional Capabilities
  • Configuring a Scan includes the following:
  • Enter max links
  • Select browser
  • Enable advanced options
  • Select the list of attack types, attack locations, and other properties
  • Set proxy settings
  • Set authentication settings
  • Set crawler restrictions
  • Set attack restrictions
  • Edit HTTP header
  • Edit network, performance, and logging settings
  • Configure report settings
  • Select HTML options to add to report
  • Edit settings for web service scanning
  • Record/ import pre-recorded traffic files
  • Record/ import pre-recorded macro files
  • Manage scan engine parameters
  • Use custom URL processing parser
  • Configure advanced options
  • Viewing Scan Results includes the following:
  • View results in AppSpider Console
  • View results in HTML reports
  • Validate applet

Finally, you can utilize AppSpider’s additional capabilities:

  • Swagger utility
  • Defend utility
  • Traffic recorder
  • Traffic viewer
  • Request builder
  • Macro recorder