Usage of a spider which executes dynamic content like JavaScript, e.g. via Selenium.

Risk:Parts of the service are not covered during the scan, because JavaScript is not getting executed. Therefore, the coverage of client-side dynamic components is limited, leading to potential security risks and undetected vulnerabilities.

A simple scan is performed to get a security baseline. In case the test is done in under 10 minutes, it should be part of the build and deployment process.

Risk:Deficient security tests are performed. Simple vulnerabilities are not detected and missing security configurations (e.g. headers) are not set. Fast feedback is not given.

Integration of authentication with all roles used in the service.

Risk:Parts of the service are not covered during the scan, because a login is not performed.

Hidden endpoints are getting detected and included in the vulnerability scan.

Risk:Hidden endpoints of the service are not getting tracked.

Special parameter and special encodings are defined, so that they get fuzzed by the used vulnerability scanners.

Risk:Parts of the service are not covered. For example specially formatted or coded parameters are not getting detected as parameter (e.g. parameters in REST-like URLs, parameters in JSON-Format or base64-coded parameters).

Sequential operations are defined and checked by the vulnerability scanner in the defined order.

Risk:Sequential operations like workflows (e.g. login -> put products in the basket

Usage of multiple spiders and scanner enhance the coverage and the vulnerabilities.

Risk:Each vulnerability scanner has different opportunities. By using just one scanner, some vulnerabilities might not be found.

Check that there are no missing paths in the application with coverage-tools.

Risk:Parts of the service are not still covered by tests.

Service to service communication is dumped and checked.

Risk:Service to service communication is not covered.