Statement
Ecsypno's Codename SCNR aims to provide first-class, on-premises tooling and infrastructure for web application security, which at the same time takes less effort to setup and manage than a managed SaaS solution.
The goal is for WebAppSec solutions to be easily available to all.
More importantly, we believe that security data should solely belong to the stakeholder and that no restrictions should be imposed such as limits to the amount of scanned pages or target domains.
The DAST offering's current capabilities range from:
- Scripting, in order to help with manual audits, which in turn allows for exploring a WebApp deeply in order for the tester to acquire thorough knowledge and move forward more efficiently armed with unparalleled value to the penetration test.
- Simple command-line utilities for automated testing of WebApps.
- Agents that allow for scans to originate from remote machines.
- Grouping of Agents in what we call the Grid, allowing for transparent load-balancing (both vertical and horizontal).
- Automated queuing of scans via the Scheduler component.
- Simple yet powerful integration via a centralized REST API.
These technologies can be used separately or combined as necessary; meaning that deployments can range from a simple script to investigate an input's behavior, to thousands of scans queued via the Scheduler and then via Grid load-balancing be performed by remote Agents in an automated, parallel, safe and optimal manner.
Those terms can sound daunting at first, but not in the way Codename SCNR is architectured and configured.
It all happens with minimal user interaction or monitoring, leading to a fire-and-forget scanning and scheduling system that is as simple to use as a joyful toy.
History
Codename SCNR is the commercial successor to the industry known Arachni Web Application Security Scanner Framework (now heading to obsolescence).
You can think of it as Arachni re-imagined, re-written and on steroids.
More than 10 years of hands-on and deep experience in this subject matter condensed into a first-tier product.
Resources
Articles
Script your DOM XSS exploitation workflow
Hello all, I wanted to share some Codename SCNR scripting kung-fu with you. This is something you can use post-scan,...
The Arachni Chronicles
A story of curiosity, experimentation, development, million euro deal, fraudsters, abandonment and revitalization. From the inception of the F/OSS Arachni...
Continuous client-side IAST/DAST Hybrid approach for Single-Page-Applications
Some very interesting technology was presented a few days ago in the following articles: Following the data: Taint-tracing in the...