The term web asset discovery applies to a mechanism associated with web application security testing. This function is often available as a module in other cybersecurity tools and is rarely available as a standalone tool. Note that web asset discovery is a relatively new concept and the term itself is not formally defined. Therefore, some tools may use custom terms for the same functionality.
The goal of web asset discovery software is to find/discover web assets, such as websites, web applications, or APIs. These assets can then be used as targets for other tools such as dynamic application security testing (DAST) to identify vulnerabilities and other potential security risks/attack vectors and allow for remediation. Web asset discovery identifies web assets based on a seed keyword provided by the user. The seed keyword is, most commonly, the name of the company. The result is a knowledge base containing a list of domains or subdomains that host websites, web apps, or web APIs The list can later be used for security testing, vulnerability management, and more.
Organizations need discovery tools because they often struggle to automate their web inventory management – they fail to identify and keep a complete list of all web assets that they own, which becomes an even bigger problem as the organization grows. For example, a corporate department may register a domain and put up a campaign website without ever notifying the corporate web security team or even the IT administration team. As a result, the company’s true web attack surface is unknown, which may lead to attacks against untested assets, potentially resulting in costly data breaches and reputation loss.
Web asset discovery should not be confused with IT asset discovery, IT asset management (ITAM), or IT service management (ITSM). While there may be some overlap, they are very different mechanisms.
Web asset discovery tools keep improving over time as innovative companies come up with new ways to build web asset libraries. Here are some of the techniques used:
Note that most web asset discovery mechanisms are SaaS crawlers. This means that once you provide them with a keyword to search for, usually via the primary tool dashboard, they keep searching for it indefinitely in real-time and provide you with information on any new assets found, for example, via notifications every 24 hours. This allows web asset discovery to become part of a regular web development and security workflow/lifecycle.
The goal of web asset discovery is to find and list existing web assets, such as websites, web applications, and APIs. These assets can then be used as targets for other security tools such as dynamic application security testing (DAST) to identify vulnerabilities and other potential security risks/attack vectors and support remediation.
Find out why web asset discovery is a crucial part of your AppSec program.
Web asset discovery mostly relies on crawlers that perform public certificate registry searches and public domain registry searches. Discovery services also work together with search engine crawlers to find any web assets that mention discovery keywords, such as the name of the company.
To use the web asset discovery services provided with Invicti and Acunetix solutions, you only need to decide what keywords to focus on, such as your company name, brands, or products. Results are returned in seconds and then continuously updated in the future as the crawler works in the background. By default, Invicti asset discovery is initiated using the domain name of the user’s company email address.
Read more about using the application and service discovery mechanism.