This review, written by Paul Asadoorian, focuses on Detectify’s Surface Monitoring product. This crowdsource-backed attack surface monitoring component discovers Internet facing assets such as subdomains, exposed files, vulnerabilities and misconfigurations.
The Surface Monitoring product was designed to complement Detectify’s Application Scanning (AS) product. While the AS product focuses on issues in the code of web applications, Surface Monitoring zooms out a bit, discovering potential issues at the web server, web framework and subdomain level.
For app scanning to find vulnerabilities, it first needs to be configured to scan things. To be configured to scan things, employees need to know they exist.
This is where Surface Monitoring comes in. Perhaps new apps, APIs, or app components are deployed to production and the app scanner isn’t updated to scan them. You can even launch new app scans from within Surface Monitoring (assuming you are licensed to use both products). Another reason to use Surface Monitoring is that there are entire classes of vulnerabilities that are often missed by app scanners and network vulnerability scanners.
Speaking of vulnerabilities, often by the time they are disclosed, they are already actively being exploited in the wild. Getting ahead of this curve can be difficult.
However, Detectify has created a crowdsourced bug bounty model that helps you continually automate and scale the testing of attacker techniques.
Download the report.