profile image
Shahar Sperling
Chief Architect at HCL AppScan
Shahar Sperling is the chief architect at HCL AppScan. He has 23 years of experience in professional software development. He has spent the last 13 years with the AppScan team, developing a variety of new products and technologies.
Posts by Shahar Sperling
Secure DevOps | October 28, 2020
?AST – The Who, What, Why and Where of Application Security Testing
You'll learn how to make an informed decision amongst the plethora of Application Security Testing options in the market, including DAST, SAST & IAST.
Secure DevOps | July 22, 2020
Hey, DNS! (with HCL AppScan Domain Name Server)
  Once upon a time, “Dynamic Analysis” was called “Black-Box Testing”. I miss the old names (Black-Box, White-Box, Glass-Box…). While the new names have nice acronyms (DAST, SAST, IAST, etc.) they are far less descriptive in the way they work. The challenges faced when performing one type of testing or another are far clearer when the name explains how the testing option actually works.   Black-Box very clearly tells you that you are treating the test target as a “black box”. You cannot see inside. You can only rely on what the black box chooses to expose to you. When we perform test attacks, we call that a “reflection,” which is how the application responds to an attack. It is sometimes the lack of reflection that indicates whether a test succeeded.  This reliance on reflections is one of the major challenges faced by DAST. It is a limiting factor on the type of issues that can be detected. Some tests create an immediate response (or a response in a following sequence of requests) and those are issues DAST can find. Some tests are designed to disrupt a WebApp’s execution flow (intentionally causing a reflection failure) and those also are issues that DAST can detect.   What about everything else?   Impact of Asynchronous Validation Mechanism Testing  Maybe not everything else, but the asynchronous validation mechanism introduced several years ago does help. The idea behind these tests is not to rely on direct reflection (or lack thereof) but on other externally observable behavior of the application.  Where is this useful? For example, when testing for Command-Execution. We try to execute commands that would perform one of the actions described below. These are done outside the context of the running application and would, in many cases, have no response (direct reflection in an HTML, for example) associated with them. Under normal circumstances a DAST scanner would not be able to detect these vulnerabilities.   The first class of tests attempt to trigger an HTTP request to a web server embedded within the AppScan scanner itself. AppScan tries to get the tested server to initiate an HTTP request to a specific URL that helps us understand the source attack. It...
Secure DevOps | July 17, 2020
Achieve Private Site Scanning with AppScan on Cloud
Learn best practices for conducting Private Site Scanning (PSS) with HCL AppScan on Cloud (ASoC). Then, test-drive ASoC with our free 30-day trial.
Secure DevOps | July 16, 2020
Third-Party Component Security: The Good, The Not So Good and the Downright Ugly
Read this blog to learn how to identify security vulnerabilities in third-party application components. Then, you can test-drive HCL AppScan on Cloud.
Secure DevOps | July 15, 2020
Understanding the AppScan on Cloud Compliance Network
Learn how to calculate risk for applications that your company has in development & find out how to utilize HCL AppScan on Cloud to manage vulnerabilities.
Secure DevOps | July 13, 2020
How to Maximize the Effectiveness of Your Dynamic Testing Policies
In this blog, you'll learn more about Dynamic Application Security Testing (DAST) policies & find out how to maximize your team's dynamic analysis efforts.