Skip to content
Docs Oneleet Docs

Application Security Overview

Oneleet Application Security uses Dynamic Application Security Testing (DAST) to evaluate your running web applications by testing them from the outside in, much like an attacker would. It crawls your application, exercises its inputs and forms, and observes how it responds. This style of testing surfaces exploitable issues like injection flaws, sensitive information exposed deep within the application, and security misconfigurations that only show up at runtime.

How scanning works

Section titled “How scanning works”

A scan runs in two stages:

  • Discovery: it explores your application using a real browser, following links and exercising forms and inputs to map its pages and attack surface.
  • Testing: it first observes how your app responds during normal user flows to catch information leaks and misconfigurations, then actively sends attack-like requests to the application and watches how it reacts to find vulnerabilities that only appear when the application receives malicious input.

When an application requires a login, Oneleet Application Security authenticates first, so it tests the authenticated attack surface of the application where the most sensitive functionality usually lives.

Where it fits

Section titled “Where it fits”

Oneleet Application Security fits alongside the rest of your Oneleet security program.

Attack Surface Management discovers your exposed assets and tests their surface for security issues; Application Security goes a layer deeper, into the application context of your most important assets.

It also complements Code Security and Dependency Scanning. Where those examine how an application is built, Application Security examines how it behaves when running.

Together they give you a fuller picture of your security posture: from where your applications show up, to how they’re built, to how they behave in production.

Getting started

Section titled “Getting started”

Getting started takes only a few minutes:

  1. Create an application profile, either from scratch or by importing an asset from Oneleet Attack Surface Management. As part of setup you define its scope, authentication, request headers, and a scan schedule.
  2. Run a scan readiness check to confirm that the application is reachable, can be logged into, and can be crawled.
  3. Run a vulnerability scan (or wait for the scheduled scan to run at the time you specified). If the scan finds medium or high-severity issues, you will receive a notification.
  4. Review the issues. Issues are enriched with severity, confidence, evidence, and remediation advice to help you prioritize and fix them.

From there, scheduled scans run automatically to keep you updated on new issues as your app changes, and you can run ad-hoc scans whenever you want to check for new issues or verify a fix.