This article helps you find the answers to the technical terminology behind our solution.

What is the difference between Single Page and Multi-Page applications?

Multi-Page applications (MPAs) use a standard HTML structure for their content. They consist of multiple individual pages, which are loaded from the server when needed. Popular examples include applications created in PHP and Python with frameworks such as Laravel or Django.

Single Page Applications (SPAs) use AJAX and HTML5 to build responsive apps. These apps send most of their content with the initial request and respond to most user input on the client-side without loading additional content from the server. Typically, JavaScript frameworks such as React, Angular, Vue, or Ember are responsible for handling the heavy lifting on the client-side for a single-page app.

This is an excellent article to get more details on the differences, pros and cons for SPAs and MPAs.

What is the challenge in testing Single Page applications compared to Multi-Page applications?

Due to their responsive nature, Single Page Applications (SPAs) use asynchronous API requests for backend communication and manipulating the DOM tree to show information in real-time. Traditional crawlers have problems understanding all the JavaScript used in such cases and struggle to find ways to navigate through the application. Other security scanners use manual click-throughs as a base for an automated vulnerability scanner, which can be time-consuming to set up and inflexible to a constantly changing app.

The Crashtest Security SPA crawler is the only software on the market that allows you to scan SPAs without click-through models. This enables a much faster setup, better adaption to changes, and takes away a lot of effort required previously to scan SPAs.

Are Multi-Page applications more secure than Single Page applications?

The answer to this question obviously depends on the individual application and the developer’s carefulness, as well as the use of security measures.

One potential concern for Single Page applications is the exposure of sensitive data.

If you’re not carefully about what data is contained by the initial page load, you could easily be sending data that shouldn’t necessarily be exposed to all users. Because the entire page isn’t generally visible in the browser in an SPA, this can lull a careless developer into a false sense of security. (Quote from Stack Exchange)

What is vulnerability scanning?

Vulnerability scanning allows the user to scan software for security vulnerabilities. This can happen on an infrastructure (i.e. network or physical) or application level. Crashtest Security allows its users to scan applications in an automated, agile manner with easy integration in your agile development process.

The manual approach to security testing is called penetration testing. This is a service performed by a person, taking between 5 and 20 days, depending on the scope of the test. Manual penetration tests often require a specific setup for each test and are not compatible with agile software release processes. However, manual pentesters can cover individual application-specific flaws and test for more OWASP categories, such as Broken Access Control.

Insufficient Logging and Monitoring, however, is something that requires an internal analysis of the processes and tools.

What does a vulnerability scanner do?

A vulnerability scanner identifies possible attack vectors in the web application or API. The vulnerability scanner then checks whether these attack vectors can be exploited.

Vulnerability scanning can either happen on a non-invasive or invasive basis. It is recommended to only run invasive scans in non-production environments to not harm live applications. For a complete list of our scanners, see our list of current scanners.

Why do I need vulnerability scanning?

Vulnerability scanning provides a number of benefits:

  • Ease of use: Vulnerability scanners make it simple to set up a test without being a security expert.
  • Results within seconds: As the scanners provide results in real-time and operate with parallel requests, the first results are available within seconds of the start.
  • Integration in CI/CD-toolchains: Due to the frequency of releases in the agile development processes, it is important to ensure every release is tested for security vulnerabilities. This is only possible when security scans can be triggered and evaluated in an automated fashion.
  • No repeat setup effort: In contrast to manual security testing, vulnerability scan setup can be configured once and is then performed on the current software version automatically.

Is it difficult to set up a vulnerability scan?

No. We get you through the project setup within 2 minutes and promise results within 5 minutes of registration for the Crashtest Security Suite. In addition to the first security vulnerabilities, you also receive remediation advice for any found issues.