Redefining AppSec Testing with Intelligent Scan Recommendations and Asset Classification

As 9 out of 10 valuable web apps are missing testing, we’re launching new capabilities to help teams know what else, beyond core applications, is likely to require in-depth testing. The new features automatically classify discovered web assets based on attacker reconnaissance techniques and deliver recommendations on where to run DAST, bridging the gap between broad and deep testing across the entire attack surface.

We know that security teams face a constant challenge: they know they need to test their main applications thoroughly, but what about everything else? Which of the dozens or hundreds of other web assets that they discover with Detectify actually need deep testing?

It’s a common struggle. In fact, our data shows that on average, organizations are missing 9 out of 10 of their complex, valuable web apps when it comes to testing. Alarmingly, over half of organizations miss all their complex apps when getting started with scanning, reflecting their uncertainty about where to deploy scans and missing valuable targets. This isn’t just about oversight; it’s also about the difficulty of scaling testing effectively as the attack surface expands. 

Attackers love this uncertainty. They look for the gaps between what you think you’re exposing and what’s actually out there.

Why prioritize and recommend scans?

This difficulty in effectively scaling testing leads to crucial questions: what exactly constitutes a web application suitable for in-depth testing, and why is prioritizing where to deploy tests so important?

Generally, a web application is something interacted with via a browser. It is often built using HTML within a client-server architecture. Crucially, it offers interactive elements like forms, dynamic pages, and potentially database connections.

In AppSec, particularly DAST, the goal is to find vulnerabilities in these assets. This involves first exploring the application (crawling) and then interacting with its elements (fuzzing). This approach is most valuable when there’s something substantial to crawl and interact with, significantly more than just a single page of static HTML. If an asset lacks these interactive elements, the fuzzer has little to do, and running a deep scan results in wasted resources and CPU cycles. Therefore, recommending which assets to scan deeply is essential for efficiency.

See the forest and the trees 

To address this challenge and eliminate the guesswork, we’re excited to introduce new capabilities designed to help you focus your testing where it matters most: Asset Classification and Scan Recommendations.

How can you decide what to test if you don’t know what an asset actually does? Our new Asset Classification capability automatically analyzes and categorizes web assets discovered across your attack surface.

The process begins by identifying potential web applications. We look at basic response data to determine if a web application is being served, checking for the following basic characteristics:

• Content-Type: text/html (Other types like XML might indicate non-crawlable APIs)
• Status Code: 200 OK
• Body Length: Sufficiently large (> 100 characters) to suggest more than a minimal response.

Once a potential web application is identified, the next step is to classify its nature and complexity to determine if it’s a “complex” application likely warranting deeper testing. Using techniques that mimic hacker reconnaissance, it analyzes attributes combined into a scoring algorithm. Currently, this includes:

• Technology detection: What specific libraries, frameworks, or technologies are present, and how many?
• Header analysis: Presence and configuration of certain headers (e.g., Content Security Policy – CSP).
• Interaction points: Presence of login forms or other input fields.
• Body length: The overall size of the response body.

This classification helps teams quickly understand the potential purpose, complexity, and interactivity of each discovered asset, even those that pop up without a team’s direct knowledge, so they can prioritize them effectively.

Intelligent Scan Recommendations to know where to point your DAST

Building on Asset Classification, our new Scan Recommendations feature delivers intelligent suggestions based on an asset’s classification (the technical characteristics mentioned above) and its likely attractiveness to attackers. This helps determine which of the web apps require comprehensive DAST through deep crawling and fuzzing, leveraging vulnerability research from the Detectify Crowdsource community and AI-built assessments from Detectify Alfred. 

Breaking the illusion of coverage

The new capabilities bridge the gap between broad and deep testing across the entire attack surface, enabling AppSec teams to allocate resources confidently on the assets that matter most: Surface Monitoring gives a comprehensive attack surface view and tests for vulnerabilities. Application Scanning goes deeper where it matters with advanced crawling and fuzzing. The days of blindly deploying DAST and chasing shadows from irrelevant targets are over. It’s time to break the illusion of coverage. 

Scan Recommendations and Asset Classification will be available to Detectify customers in the coming weeks. If you’d like to be among the first to try them out, sign up here to join our waitlist. We’ll send you an email when they are ready for you to try out.