This article summarises questions users have when they first start using Crashtest Security Suite and answers them.

How do I scan my web application for security vulnerabilities?

Scanning your web applications is super easy with the Crashtest Security Suite. Just register for our free trial, set up your project, and get results within 2 minutes. For a detailed walk-through, please refer to our user guide.

How can I scan an API for security vulnerabilities?

With APIs playing a more important role in today’s technology, it is important to scan web applications and APIs for security vulnerabilities. This enables you to scan the backend and communication for mobile apps, such as Apple or Android or HTTP-based IoT devices.

All you need to scan your API is a documentation file, such as Swagger v2 or OpenAPI v3 – JSON or YAML file. The documentation needs to be accessible for our security scanner. This can be done by hosting the documentation somewhere or sending the documentation through our API when starting a scan.
Instead of crawling your web application for attack vectors, we get the attack vectors from your API documentation. Register for our free trial to scan your API now.

How do I test my Single Page application for security vulnerabilities?

Setting up a scan for your Single Page Application (SPA) is easy. Just register for our free trial and set up your project. After choosing “Web Application” for your Scan Target Type, be sure to select “JavaScript Application.” Then, for best results,  add authentication credentials to your scan. For a more detailed walk-through, please go to our user guide (also in German).

How do I prepare my application for a vulnerability scan?

For a vulnerability scan, you should set up your application in such a way that the scan does not interrupt your service, and you can go back to a working state in case of any issues during the scan:

  • Ensure that you have permission to conduct a security scan against your application. Talk to all people concerned with the application such as developers, product owners, or the infrastructure team.
  • Inform the monitoring team about the security scan, so that no real alert is fired when the security scan starts.
  • When you are doing invasive security scans such as the Crashtest Security Full Scan, scan your application on a test or staging system instead of the production system.
  • Do a backup before the vulnerability scan, so that you can roll back the system to a working state if needed.
  • Create a Test User for the vulnerability scan, so that you have a separation of the test data of the vulnerability scan and the other (test) data of the system.

What login methods do vulnerability scanners support?

Our vulnerability scanner supports several authentication methods:

  • HTTP Basic Authentication
  • Login Form Authentication
  • Parameter Authentication (HTTP Headers, GET-parameter, and (Session) Cookies)

How long does a vulnerability scan take?

Our quick, non-invasive vulnerability scan takes 2-5 minutes. The length of the full, invasive vulnerability scan depends on your application’s size and the number of found attack vectors. Most of our scans are done in under 4 hours, but the scan may take longer if you have an extensive application.

How can Crashtest Security help our company with compliance certifications? (Specific case of ISO 27.001)

ISO 27.001 is about implementing secure processes within the company. For example, if the company is developing web applications, it also needs a strategy to ensure that the software/web apps developed are secure.

Before, during, or after the ISO Certification, measures have to be implemented to ensure that the process is enforced. This is where we can support you. With a DAST Tool like ours, you can scan your software before every release and ensure that you keep delivering secure web applications.

What does a vulnerability scan cost?

You can get your first vulnerability scan for free in our 14-day free trial right now.

We charge by the count of scan targets rather than the number of scans. This means you can continuously scan your web apps without having to worry about a large bill or limitations. Let us know your specific security challenge, and we will find the right pricing together. Just get in contact with us.

Identify Security Vulnerabilities in Your Web Apps and APIs