Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

06:30 PM
Connect Directly

Rapid7 Picks Up NTObjectives

Adds 25 new employees and further diversifies testing capabilities.

Rapid7 today acquired NT OBJECTives (NTO) for an undisclosed amount in a move that it says will help its customers better keep up with the threat landscape by building out its web and mobile applications security testing capabilities. Known best for its NTOSpider dynamic testing platform, NTO brings to Rapid7 a roster of 25 employees and a mature suite of testing tools that have gained traction in the Fortune 500. For now, Rapid7 will rebrand NTOSpider as AppSpider Pro and NTOEnterprise as AppSpider Enterprise.

"Web application attacks are increasing in severity and frequency. While we've been able to address some of these challenges with our other Threat Exposure Management solutions -- Nexpose and Metasploit -- AppSpider will significantly enhance Rapid7's capabilities," says Lee Weiner, senior vice president of products and engineering for Rapid7.

With web application attacks making up about 35 percent of breaches in many industries,  according to the Verizon Data Breach Investigations Report, and the velocity of mobile development adding to that attack surface exponentially, these areas remain a huge sore spot for enterprise security.  

"Web application security represents one of the greatest challenges facing the security industry and businesses of all sizes. With millions of custom web applications developed in the last two decades, organizations have significantly increased their attack surface," says Dan Kuykendall, co-CEO and CTO at NTO.

Some of the unique capabilities that drew Rapid7 to NTO's product portfolio include AppSpider's 'universal translator' technology that gives better visibility into newer web and mobile development technologies like AJAX, REST, and JSON, as well as the ability to create customized attacks that can better test for business logic flaws that often go unfound using static analysis.

"NTO has developed outstanding functionality to ensure that web application assessment is broad and efficient," Weiner says. "It isn't enough to evaluate some aspects of the threat landscape and feel like you are covered. Tools -- like those from NTO -- must marry comprehensive and continuous coverage of web applications with efficient tools for sophisticated security programs managing business critical application ecosystems."

Plus, says Weiner, the NTO team was a good match from a personnel standpoint.

"We were looking for a team that wasn't just a strong fit technology-wise, but culturally," he says. "The NTO team is extremely well aligned with Rapid7 in terms of philosophy and mission." 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/5/2015 | 11:37:24 AM
Current Rapid7 Functionalities
I know currenlty that Rapid7's product Nexpose has a web application scanning functionality but I am not sure how robust it is as I have not used it.

Can someone please provide me with a perspective of what NTOSpider does efficiently as well as things it could work on? Application scanning is a critical component in the present for increasing security posture and with that its good to know the benefits and detriments to the product.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
In Textpattern 4.5.7, the password-reset feature does not securely tether a hash to a user account.
PUBLISHED: 2020-08-14
In Nim 1.2.4, the standard library browsers mishandles the URL argument to browsers.openDefaultBrowser. This argument can be a local file path that will be opened in the default explorer. An attacker can pass one argument to the underlying open command to execute arbitrary registered system commands...
PUBLISHED: 2020-08-14
In Nim 1.2.4, the standard library httpClient is vulnerable to a CR-LF injection in the target URL. An injection is possible if the attacker controls any part of the URL provided in a call (such as httpClient.get or httpClient.post), the User-Agent header value, or custom HTTP header names or values...
PUBLISHED: 2020-08-14
In Nim 1.2.4, the standard library httpClient fails to properly validate the server response. For example, httpClient.get().contentLength() does not raise any error if a malicious server provides a negative Content-Length.
PUBLISHED: 2020-08-14
In Textpattern 4.5.7, an unprivileged author can change an article's markup setting.