Application vulnerability scanning service

Purchase licenses for a vendor provided Application vulnerability scanning console add-on called InsightAppSec by Rapid 7, delivered by RioT Solutions.

The existing Whole of Queensland Government Vulnerability scanning service provides Queensland Government (QG) agencies with the understanding and preparedness to detect, prevent and respond to the increased risk of cyber- attacks.

Agencies who have deployed the Rapid7 Vulnerability Scanning tool may also purchase licences for an additional vulnerability scanning console called InsightAppSec by Rapid 7, delivered by RioT Solutions.

InsightAppSec is a vulnerability scanning tool which allows you to identify, evaluate and mitigate risk to your applications. Scans run attacks on the selected URLs in your app to identify weaknesses that could lead to vulnerabilities.

InsightAppSec provides in-depth Dynamic Application Security Testing (DAST) for mature and maturing web applications. An InsightAppSec scan can be performed on both internal and externally facing web applications irrespective of whether the application requires authentication.

Visit the Rapid7 website and watch the video-overview for more details on the functionality of InsightAppSec.

Using this service enables our organisations to meet their obligations as specified under the Information security policy (IS18:2018) and improve cyber security maturity.

Business benefits

• Enables informed engagement and decision-making, based on real-time application vulnerability threat information, in order to improve business and operational outcomes.
• Flexible and scalable solution for agencies who may currently be  using the Vulnerability scanning service, or those wishing to   provision Application scanning functionality via leveraging WoG purchasing arrangements.

Technical capabilities

InsightAppSec provides comprehensive application scanning functionality beyond those incorporated in the standard Vulnerability scanning service and includes features such as:

• 95+ Attack Types (SQL Injection., CSRF, XSS)
• Attack replaying
• SaaS Management Platform (No on-prem console needed)
• Cloud and On-Premises Scan Engines
• The Universal Translator
• Reporting on compliance to PCI-DSS, HIPAA, OWASP Top Ten and other regulatory requirements
• OWASP 2013, 2017 and 2021.

All government agencies and related bodies are eligible to access this service.

A 30-day trial is available to test the functionality of this service before committing to purchase.

Licensing cost

The price to access the InsightAppSec is $1595.00 including GST per application, per annum.

The price of licensing is based on the total number of applications. Where an application has a single purpose, it’s covered under a single license for all instances, .i.e. Microservices, Dev, Staging or production environments.

For example, a single license like mail.google.com and dev.mail.google.com would be considered one licence as they serve the same purpose.

Two licenses like mail.google.com and www.google.com would be treated as separate licenses.

There are four steps to request and deploy this service.

1.  Review existing applications:

• How many Web Apps or API   endpoints do you wish to scan? If possible, please provide the Fully   Qualified Domain Name (FQDN).
• Are the Web Apps or API   Endpoints accessible externally or internal only?
• Identify officers in your   agency who will access the InsightAppSec Dashboard, including:
  • Technical officers
  • Executive officers, i.e. Chief   Information Officer (CIO) or Chief Information and Security officer (CISO).

2. Complete the Application scanning request form with the information obtained above to complete to start the onboarding process.

3. Consultation. Once you’ve submitted the application form, a cyber security specialist from RIOT Solutions will contact you to arrange an initial consultation where the information you provided is evaluated to determine the most appropriate implementation solution to suit your organisation’s requirements.

This consultation will include a quote from the vendor.

4. Deployment. Consultation and final deployment will be performed by specialists from RIOT solutions, in collaboration with the Queensland Government Cyber Security Unit (CSU) and CITEC.

Read the comprehensive InsightAppSec console guide on the Rapid7 website for full details on everything from quick start to frequently asked questions and troubleshooting support.

InsightAppSec online training

The Rapid7 Academy provides a self-paced online training course for users. This course is accessible 24 hours a day, 7 days a week.

The course will guide you through the best practices to setup, run, and review vulnerabilities using InsightAppSec. We recommend as implementation of the InsightVM console is included within the service to the Queensland Government, that you focus on the ‘Overview’, ‘Prepare for InsightAppSec Scans’, ‘Scanning Applications’ and ‘Vulnerabilities’ modules to maximise your learning experience.

Visit Getting Started - Rapid7 InsightAppSec to register for the course.

During registration, ensure your login account email is your Queensland Government email address.

RIOT Solutions Service Desk

Contact the RIOT Solutions Service Desk at servicedesk@RIoTSolutions.com.au for technical support issues relating to the Application Scanning service.