Discover Hidden Assets with AppTrana WAAP
We are excited to introduce Asset Discovery – a new feature that allows you to find and protect unknown applications, domains, sub-domains, and other public assets.
This feature is now part of AppTrana WAAP and Indusface WAS (Web Application Scanning).
Unknown is the biggest risk, especially when it is an orphaned app that was launched by one of your business divisions that is no longer in use.
Attackers could take advantage of that application, find backdoors, and bring down your entire organization.
The Power of Asset Discovery – Goals & Objectives
The Asset Discovery feature lets you discover and maintain an inventory of all your public-facing web assets (Web, API, and mobile applications along with their associated IPs, sub-domains, and data center information).
This allows you to quickly protect business-critical apps that have not been protected so far and remove any orphaned or shadow assets your organization no longer needs.
The primary purpose of launching the feature is to break silos between application, infra, and security teams by giving everyone the visibility of 1) the external attack surface 2) the risk associated with these assets, and 3) the protection status on a single unified platform – AppTrana WAAP.
Web Assets vs. IT Assets – What Sets Them Apart?
Web assets refer to the digital components and resources associated with a company’s online presence, specifically related to its website or web-based applications.
These assets include the website, domain names, web servers, web applications, databases, content management systems, media files (images, videos), user interfaces, APIs (Application Programming Interfaces), and other related components.
On the other hand, IT assets, also known as information technology assets, encompass a broader range of digital and physical resources that an organization utilizes to support its overall information technology infrastructure.
This includes hardware devices (computers, servers, networking equipment, storage devices), software applications, operating systems, databases, network infrastructure, security systems, and other IT-related resources.
Why Do You Need Asset Discovery?
The online landscape for any company, regardless of its scale, rapidly evolves into a complex and decentralized web of assets. Managing these extensive online presences becomes difficult for organizations. This often leads to cybersecurity incidents caused by missing or forgotten web assets.
The sum of an organization’s online assets constitutes its attack surface. The larger this attack surface, the greater the potential for unmanaged assets to exist.
Securing unknown or unmanaged assets is challenging because you cannot protect what you are unaware of. Consequently, these unidentified assets become attractive targets for attackers due to their vulnerability and ease of exploitation.
Use Case:
Imagine your organization created a WordPress website for a marketing campaign two years ago. The campaign website utilized a dedicated domain separate from your main business domain. After the campaign ended, the website was forgotten and left unattended.
Due to neglect and lack of maintenance, the WordPress site’s server configuration remained insecure. An attacker discovers this forgotten website and realizes the server is misconfigured, allowing unauthorized access to sensitive files.
Exploiting this misconfiguration, the attacker gains access to the website’s server and finds a treasure of your customer data stored in an unprotected directory. This data includes personal information such as names, email addresses, phone numbers, and purchase histories.
Neglecting to protect abandoned websites can result in unauthorized access, data breaches, and severe legal and reputational consequences for your organization.
Key Factors Why Web Assets Go Missing
- Web assets “go missing” due to a lack of proper lifecycle management, where outdated assets are left online without timely updates or removal.
- Insufficient global security processes make web assets go unnoticed within larger organizations. Departments may create web assets using different tools without the organization knowing their existence.
- Internal tooling can lead to web assets becoming unknown to other departments. For example, a specific team might use a web application for internal processes, which remains inaccessible to other departments and potentially vulnerable to external access.
- Personnel changes can result in the loss of web assets, particularly when departing employees fail to hand over their created assets. Ex-employees may leave behind promotional sites or campaign-specific web applications, leaving them unattended or forgotten.
- Mergers and acquisitions pose challenges in consolidating metadata and managing web assets across organizational units. As a result, organizations struggle to keep track of all owned web assets, leading to potential loss or fragmentation during integration.
- External contractors can inadvertently leave test versions or unfinished web assets publicly accessible outside the organization. This creates security risks, as sensitive information may be exposed or unauthorized access granted.
Asset Discovery with Indusface WAS
You can discover your assets using the asset monitoring tab in Indusface WAS. Enter your account name ->email address -> start discovery to start your asset discovery.
Here is a detailed overview of how Asset Discovery in Indusface WAS works:
Asset Discovery with AppTrana WAAP
Here is a step-by-step guide to how to use Asset Discovery on AppTrana WAAP:
There are three steps involved in asset discovery.
- Asset Discovered
- Asset Ignored
- Assets Protected
Step 1: Asset Discovered
When you add a new target as the reference, AppTrana automatically performs the asset discovery. Here, you can add input parameters in three ways:
- Enter the account name in the respective field (or)
- Enter the domain name (or)
- Select the domain from the drop-down menu and then click Start Discovery
Once the asset discovery is completed, a table is displayed with the following basic details:
Parameter | Description |
Asset name | A subdomain that is associated with the route domain |
IP Address | The IP address of the asset |
Data center | The data center of the domain where the application is hosted |
Domain Name | The top-level domain or the route domain |
Asset Type | Assets can include webpages, APIs, databases, and so on. This field displays the type of asset, such as webpages |
Action | There are 2 different actions available: Protect Now / Ignore Site |
Step 2: Ignore Asset
Not all identified assets need to be protected, as some may be low risk. Similarly, default discovery might find all the possible assets with reference to the input parameter. This might result in false positive matches. The user can ignore such low-risk and false positive assets by selecting the action – Ignore Site.
All the ignored assets are displayed in the Assets Ignored section with a table. The table details include Asset Name, IP Address, Data Center, TLD (Top Level Domain), and Action.
Don’t Ignore Assets:
In case of accidental asset oversight or if the asset is valid and not a false positive, users can undo this by clicking ‘Do Not Ignore.’ Then the asset will automatically move to the Asset Discovered list.
Step 3: Asset Protected
Select the asset and click Protect Now action in the Assets Discovered section to add the identified asset under AppTrana’s enhanced protection.
You will be guided through AppTrana’s onboarding process. Once activation is successfully finished, the onboarded asset will appear in the Assets Onboarded section.
AppTrana’s Asset Discovery will become your one-stop solution for asset identification and management, making a crucial step towards adopting web application and API protection.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.