SCALE Service Description

Outpost24 Scale is an automated dynamic application security testing scanner (DAST) designed to analyze web applications for vulnerabilities at volume and speed.

Scale offers:

  • SAAS and on-premise deployment options
  • Ability to scan many applications at once
  • Ability to schedule application scanning to suit quiet periods
  • Designed to produce findings if the scan starts
  • Ability to scan layers 3 to 7 of the OSI model, providing a more thorough view of the application attack surface
  • Authenticated and unauthenticated scanning
  • Unlimited 24/7 support
  • Optional managed service

Licence & deployment model

Scale is licensed on a per application basis, and once licensed two deployment options can be utilized

  • As a SaaS service: Allowing external facing applications to be scanned from the Outpost24 portal. Providing an always available anywhere portal for user to access findings and perform remediation activities.
  • As a standalone internal web application scanning tool. By utilizing the Outpost24 appliance (HIAB)* to act as the Outpost24 Portal and deploying multiple separate appliances to act at the Scale scan engine, coverage of internally accessible applications can also be achieved

*See the HIAB service description document for more information on deployment options

Functionality

As a DAST scanner, Scale is designed to scan web applications, both external facing and internal facing, for vulnerabilities and then to provide workflow processes to allow the remediation and tracking of these vulnerabilities. This section covers the common functionality found in Scale

1 Scan Configuration

When adding applications to be scanned, the following configuration options are available

  • Scan duration
  • Schedule
  • Scan intensity
  • Fuzzing
  • Request filters
  • User agent
  • Authentication options including SSL& Selenium side script support
  • Host maps

When adding multiple applications for scanning it is also possible to group applications logically. When grouped the following options are available

  • Schedule
  • Scan intensity
  • Fuzzing options
  • User agent

2 Performing Scans

Once configured applications scanning can then be performed. Depending on how the applications have been configured the following methods to launch scans are supported

  • Manual –One or several
  • Scheduled
  • Group schedule

Scans will be performed based on the scan time allocated to each application being scanned. By default, this is 15mins, which is useful for an initial discovery and test. The longer the scan duration the more time the scan engine has available to allocate it various tasks which will result in increased overall coverage of the application.

Appsec Scale is designed to scan both the application and the applications host. As such, when scans are launched, an optional Network Security (NetSec) scan can be performed to identify vulnerabilities across layers 3 to 7 of the OSI model.

These results are then correlated and displayed in the Outpost24 Portal

3 Findings

Once scans complete, findings from both the Netsec scan engine and the Scale scan engine are correlated and displayed in the Outpost24 Portal. Findings can be displayed based on vhost, IP address or tags.

Additionally, for each scan, it is possible to display a list of crawled urls both in a list format and an informative wheel, that shows the relationship between each of the urls discovered for that application.

When reviewing findings, the following information is available to help understand the finding and plan remediation activities:

  • Name
  • Risk level
  • CVSS v2 score and breakdown
  • Description
  • Remediation options
  • Affected host

Optionally you can also add the following columns

  • CVSS3 scoring and breakdown
  • Exploitability (is an exploit available)

When working with findings, it is possible to filter on the following information, depending on if you are looking at a single application’s findings or all findings in the database

  • CVE
  • CVSS score
  • Name
  • Application
  • First seendate
  • Last seendate
  • Risk level
  • Tag

It is also possible to manually adjust the risk level of a finding. When selecting a finding you can then mark the finding 

  • Risk level –change criticality or revert to the initial risk value
  • Mark as false positive
  • Accept the risk

4 Remediation

Scale allows for integration with external ticketing systems such as Service Now and Jira, allowing for a tighter integration with DevOps. It is possible to raise tickets that meet specific criteria –such as criticality, type or application name, these are then sent to the ticketing system via the RestAPI where remediation efforts can be monitored.

5 Reports

Scale provides organizations with the ability to create on demand or scheduled reports that can be made available immediately through the Portal, emailed to portal users or external email addresses, or sent to a report library where reports can be downloaded by anyone with the relevant permissions.

Reports can be produced on

  • Per asset basis (Vhost, Ip address)
  • Specific tags
  • Specific timeframes in conjunction with the above

Report templates include:

  • Management
  • Summary
  • Detailed

And can be produced in the following formats

  • PDF
  • Excel
  • XML

6 Role based access control

Scale supports a robust role based access control (RBAC) system based on the use of tags. For each user after the master user, the following granularity can be applied

  • All
    Provides unlimited access to all assets, configurations, schedules and findings for that organization.
  • Some
    By utilizing tags, access to specific assets, configurations, schedules, findings, reports can be controlled, allowing organisations to ensure only the relevant employees can access specific information.
  • None
    Removes access to all assets in the organization based on that specific source. (Scale, Cloudsec, Container etc)

In addition to controlling what a user can see, an organisations is also able to control how a user can interact. The options are

  • Deny
    Remove that particular function from the user’s permissions. For instance, the ability to run scans can be removed for specific types of users
  • Read access
    Read only access for specific functions. For instance, removing the ability for a user to add or delete assets.
  • View and manage
    fully control that function.

These options can be set on twelve different functions providing over 157k access permutations with new options being added on a regular basis.

Scale Managed Service

Scale is offered as a managed service through Outpost24’s managed service team. Designed for organizations with limited security resource or who want outsource application testing.

For more information on the service, what is included and what is excluded please refer to the specific Managed Service description document.