Rickard Carlsson, CEO, Detectify
Organizations often operate under an “illusion of coverage”, diligently scanning core web applications while potentially missing the majority of complex apps in their attack surface. Security teams know they must test their main applications, but they often wonder which other assets to cover. In fact, 9 out of 10 complex web apps that are potential attack targets are missing testing. This presentation will address this critical gap by adopting an attacker’s perspective, focusing not on the well-protected known apps but on the often-overlooked apps that attackers actively look for. We will present techniques leveraging automated analysis of diverse signals, like JavaScript libraries, cookie consent implementations, specific HTTP headers, analytics integrations, and indicators of PII data, to systematically uncover these hidden web applications. By analyzing these signals, we demonstrate how organizations can move beyond scanning just their “Top 10” known assets towards a comprehensive, dynamically updated inventory, enabling truly scalable and effective DAST and AppSec programs to see the forest, representing the entire attack surface, and the trees, each attacker-attractive asset.
Explore the conference agenda
