Scan an App
Identify risk by scanning your app for vulnerabilities. Scans attack the URLs in your app to identify behaviors that could be exploited by attackers. The specific attack types, URLs, and many other options are set in the scan configs.
Which type of scan should I run?
|Full scan||Scan all the things! Full scans attack all URLs in the app. This is the default scan type and is automatically the first scan type run on a new app. When other scan types are run against the full scan later, the full scan is also called a parent or base scan.|
|Incremental scan||Reduce scan results by scanning only the links that InsightAppSec deems new and updated since the last full scan. Incremental scans reference the crawl map of the previous scan to determine new and updated links. Enable and disable this scan type in the scan config.|
|Validation scan||Test whether a vulnerability was remediated by attacking the same vulnerabilities found in the parent scan. If the vulnerability was not found in the validation scan, its status changes to Remediated.|
I want to:
Best identify risk by scanning everything in the app
Start a scan
Start a scan from an app or scan config:
- On the Apps page, click the application you want to scan.
- On the App Overview page, click Scan Now and select the scan config that you want to run.
- From the App Overview page, click the Scan Configs tab.
- Select the scan config that you want to run.
- On the scan config detail page, click Save and Scan.
How does this best identify risk?
Full scans are designed to crawl all URLs listed in the scan config and provide in-depth results that are relevant to your needs. Because these scans attack every target in the app, they provide the overall security of the app. Full scans are the most common scan type and are defined by, and triggered from, a scan config.
Use Case: Scanning apps before integration
Your company recently acquired a new company with a large amount of apps. Before integrating the new apps into your platform, you need to test for potential vulnerabilities. Because the apps haven’t been scanned before and you are unfamiliar with the acquired product, you want an in-depth scan of every aspect of the app. Run a full scan and evaluate the results to determine the risk of integrating.
Full scans should be your primary method for identifying risk to your apps. Because these scans attack every target in the app, they provide a view of the overall security of the app.
Scan only the new and updated links since the last scan
Enable and disable incremental scanning
You can enable Incremental scanning on new or existing scan configs. If you enable the option for a scan that has not yet run, the first Incremental scan will run a full scan. The next time the scan runs, only the links that are new or updated based on the first crawl map will be attacked.
- On the Apps page, select your app.
- On the Scan Configs tab, select the scan you want to run.
- On the General tab, enable the option using the Incremental Scan toggle.
- Click Scan Now and select the scan config that you want to run.
As a best practice, you should regularly disable Incremental scanning to ensure all vulnerabilities are found by a full scan.
Why should I run this scan?
To reduce the list of previously discovered vulnerabilities, you can scan the new or updated increments of your app. Incremental scans reference the crawl map of the previous scan to identify and attack only new and updated links.
If you enable Incremental scanning for a scan config that has not yet run, the first scan will crawl the entire app like a full scan. Incremental scans reference the crawl map of the previous scan to identify and attack only the links that InsightAppSec deems new or updated.
How does the scan determine what's new and changed?
When the scan starts, the scanner loads the crawl results of the parent scan. The scanner crawls the app and calculates the crawl signature of each link.
The incremental scan compares the crawl signature of each link to the signatures from the parent scan. If a crawled link from the incremental scan does not exist or is different from one in the parent scan, the incremental scan will attack the link. If a crawled link already exists in the parent scan, the incremental scan will not attack the link.
Run periodic full scans to ensure you are finding as many vulnerabilities as possible. Although incremental scans are useful for reducing the number of repeat vulnerabilities, they are not as comprehensive as full scans and should not be used exclusively. Some changes to websites may not be seen as a significant change, such as database updates, and therefore will not be scanned.
Test vulnerability remediation by re-running a scan
Test remediation with a validation scan
Run a validation scan to see if the previous scan can find the vulnerability again. If the scan doesn't find it, the vulnerability status changes to Remediated.
- In your app, select the scan that you want to validate.
- Click Validate Scan.
- To view scan progress, click Scan Status in the banner notification.
- When the scan completes, on the Scan Details page, verify that the remediated vulnerability is listed in the Remediated field.
- On the Vulnerabilities page, verify that the vulnerability is not listed.
Validation scans use the scan engine. To test a fix on a single vulnerability without scanning, you can Replay an Attack.
Why should I test remediation this way?
Only vulnerabilities that still exist in your app will be listed in the validation scan results. Vulnerabilities that were attacked and not found to be no longer vulnerable will have their status updated to Remediated and will not be included in the validation scan results.
You can see how many vulnerabilities were remediated by checking the Remediated field in the Scan Information drawer. Any vulnerabilities that could not be attacked will not be included in the validation scan results and their status will not be updated.
How do I know if the vulnerability is remediated?
Validation scans automatically change the vulnerability status depending on whether the vulnerability was found, not found, or unknown when run against the parent scan:
- Found - still vulnerable and will be part of the validation scan results.
- Not found - no longer vulnerable, status is updated and the vuln is not included in the validation scan results.
- Unknown - engine could not repeat the original attacks, statuses remain the same but the vuln is not included in the validation scan results.
|Original status||Found vuln||Not found||Unknown|
|False Positive||False Positive||False Positive||False Positive|
Use validation scans to test for remediation and full scans for a complete view of your app security. Validation scans run against the attack findings from the parent scan and may find vulnerabilities that were not discovered in the parent scan. Although the Vulnerabilities page includes new and existing vulnerabilities found by a validation scan, it is not as comprehensive as running a full scan on the parent scan.
Work with active scans
Monitor and manage active scans
The Scan Overview page is structured differently based on whether the scan is in progress or completed. When the scan is in progress, the page shows the Scan Status which has two tabs:
- Vulnerabilities per attack - This tab is useful for a live snapshot of the vulnerabilities being discovered on your app.
- Event Log - The Event log lists in real time, the actions taken by the InsightAppSec console as part of the scan, and can help you detect authentication or access failures early in the scan.
Pause, stop, and resume scans
- While the scan is running, view the Scan Status.
- To pause the scan, click Pause Scan. Note: You can review all paused scans in the Scanning Activity screen or the “Interrupted Scans” dashboard card.
- To resume a paused scan, click Resume Scan.
- To stop the scan, click Stop Scan and select whether to save or discard scan results.
When the scan completes, view the results on the Scan Overview page.
A scan can be paused for a maximum of 24 hours. After that time the scan is stopped, and the results up to that point, including any discovered vulnerabilities, will be retained. This restriction applies both to scans paused manually as well as scans getting paused due to a blackout.
View scan results
View vulnerabilities found by the scan
When the scan is completed, the Scan Overview page displays KPIs and scan results. You can export the scan results to JIRA and generate reports, as well as view detailed information about each result. Click on any finding to view attack details and remediation ideas.
For more information on analyzing results, see Review Vulnerabilities.
View and delete scans
If you have a lot of scans, you may find it helpful to view scans by status, as well as delete failed scans from the Scanning Activity page.
- On the Scanning Activity page, click the status to view scans only in that status.
- To delete failed scans, in the Failed list, select the scans you want to delete and click the Delete icon.