Best Practices When Implementing Web Application Scanning into an SDLC

May 30, 2017 Matt Wilgus

Web application scanning, a type of dynamic application security testing (DAST), is an important component for organizations looking to provide a secure online offering to their clients.

Unfortunately, the historical approach of “spider and scan” often does not meet expectations, leaving applications vulnerable. While this is sometimes due to scanning tools lagging or new technologies being deployed, it is more often the case that an organization’s approach has been done in haste, and the people, processes, and technologies in place are not properly configured.

This article will provide an overview on web application scanning, address some of the key areas to consider when implementing or updating a web application scanning program into a software development life cycle (SDLC), and how it can result in applications being more secure and compliance efforts requiring fewer resources.

Read the full article published in the May edition of the ISSA Journal >>

About the Author

Matt Wilgus is a Principal at Schellman, where he heads the delivery of Schellman’s penetration testing services related to FedRAMP and PCI assessments, as well as other regulatory and compliance programs. Matt has over 20 years’ experience in information security, with a focus on identifying, exploiting and remediating vulnerabilities. In addition, he has vast experience enhancing client security programs while effectively meeting compliance requirements. Matt has a strong background in network and application penetration testing, although over the past 10 years most of his focus has been on the application side, with extensive experience testing some of the most well-known IaaS, PaaS and SaaS providers.
More Content by Matt Wilgus

Stay up to date and discover new insights into compliance through our team’s thought leadership

Best Practices When Implementing Web Application Scanning into an SDLC

About the Author

Previous Flipbook

Next Article

Best Practices When Implementing Web Application Scanning into an SDLC

About the Author

Previous Flipbook

Next Article

Other content in this Stream

Schellman Principal, Matt Wilgus addresses one of the biggest challenges frequently seen in planning penetration tests—timing

Considering Portswigger's new Burp Suite Certified Practitioner certification? Read a senior pen tester's experience to understand what to expect.

Using MacOS within your corporate environment? Our team tested the latest Apple M1 Silicon - here are our security findings regarding vulnerabilities Mac users face.

Testing a mobile application and frustrated watching some traffic slip away from your settings? Learn about a technique that can help stop that from happening so you can capture everything every time.

Working with Burp and finding that you need a workaround? Learn how to build your own extension and potentially solve your problem.

Making AppSec penetration testing assessments more streamlined through application mapping

For those interested in OSEP certification, Schellman Penetration Tester, Wes Dorman provides an overview of the recently released PEN-300 course Overview Offensive Security has released se

Schellman expands services and becomes Payment Card Industry (PCI) Approved Scanning Vendor (ASV)

Schellman Penetration Tester Wes Dorman shares techniques for slowing down an adversary's attacks with active directory hardening

Schellman's John Bullinger shares his experiences and best practices for conducting penetration testing from both sides of the coin: as that of a CSO and as a penetration tester.

For seasoned penetration testers who want to become a true web app exploit guru, OSWE certification delivers. Schellman's Nathan Rague provides an exam guide to help aspiring candidates prepare.

For any penetration testing engagement, internet-facing services are an important part, and there are multiple ways to obtain information before determining if they are vulnerable to exploitation.

What are the common reasons CSPs fail to achieve a FedRAMP Authority to Operate ATO in a timely manner?

Many organizations provide Application Program Interfaces (APIs) to allow their clients and business partners to enter and retrieve data. We primarily see REST based APIs, but also GraphQL and SOAP.

This has been the most rewarding and engaging work and continues to be my dream job, and yet, the transition from full-stack web application developer to penetration tester was daunting.

When it comes to cybersecurity, it’s the things we don’t know that can be the scariest.

Please, join Matt Wilgus and Josh Tomkiel from Schellman's Threat and Vulnerability Assessment team, as they cover the ins and outs of performing a penetration test of cloud based services.

EC-Council brings a new range of real world challenges that will not only test your Pen-testing skills but guarantees you an experience that is not built for the weak hearted.

As a Third Party Assessment Organization (3PAO), Schellman regularly conducts FedRAMP assessments for Cloud Service Providers (CSPs). Included during these assessments is a penetration...