How can I speed up failure for a .net IIS app
Posted by SnooRobots3722@reddit | sysadmin | View on Reddit | 16 comments
Our app is taking days to be tested on our pentest server (by a web-based service called app-check), any tips for speeding up the time to failure? The biggest grind is it going through 1000's if different types of URL hack.
I saw a suggestion for lowering the timeouts (so it fails faster) any other tips (that won't invalidate the "like live Ness" of the tests?
It runs on a windows aws ec2 with rds Microsoft SQL and an aws app load balancer at the front.
Chatgpts suggestions all seemed to be taking it away from being "like live"
Helpjuice@reddit
You say it runs on RDS and Ec2, but what instance types, what is the usage and performance metrics telling you?
Are you running on slow shared instances or beefy fast cpu focused instances with very fast storage?
Look at the metrics and fix the bottlenecks if any. The application and load balancer may be slowing it down if it is something that has not had a proper ticket created with AWS before the penetration test began like you are supposed to create in advance here.
brokenpipe@reddit
You might want to consider bringing this out of the cloud. I’m all pro cloud but certain static things like this, it’s better on a beefy bare metal (or via proxmox) locally. I was reading article that in one case they saw a 40 minute test go down to 4 minutes when they brought the workloads out of the cloud.
Food for thought
SirLoremIpsum@reddit
This attitude is how we got to the problem of the cloud in the first place.
Blindly saying "bring it out of the cloud w a beefy Prox mox and your workload will be faster by 90%" is just as bad as "make it to the cloud and you'll save!".
What workload? What process? Why was it quicker? Did you not spec the cloud correctly"
Understanding the reasons why such a process is better locally is the point.
Not "go on prem it's faster".
No one wants to analyse anymore. Just "here's a solution that matches my beliefs it's applicable all the time"
brokenpipe@reddit
FWIW I’m not disagreeing with you. I am more advocating to a workload based process vs all onprem or cloud. I was simply mentioning that I read an article with similar testing patterns that remained static, did better onprem.
That said, you’re right that I don’t know the ins and outs of OP’s specific workload for this to necessarily see better performance on prem. Fair enough.
N0bleC@reddit
100% this. Dont try to solve problem x with a solution meant for problem y.
MavZA@reddit
It’s nice knowing there are likeminded peers out there. Too many people sit around insisting “IT HAS TO BE ONE WAY OR THE OTHER,” and thankfully those people seem contained to their small little boxes where they aren’t consequential. I’ve worked on some great, impactful systems that mentors and I set up, a good mix of on-prem and cloud, and they work well because each component fits its use case. So many people refuse to assess properly and just shove in whatever their personal preference is rather than what’s actually correct.
atheenaaar@reddit
Have you read the manual instead of asking chatgpt?
https://support.appcheck-ng.com/hc/en-us/articles/360021488053-Making-Scans-Faster#h_01GKKZE7WAZNBTY4VYPNAV32XA
Seems to have a few ideas on how to make it run more efficiently.
BinarySo10@reddit
Does app-check run these urls sequentially...? My first instinct is to suggest parallelizing the requests, by splitting up the test into multiple smaller tests and have them run at the same time. If your webserver can't handle more than one request at a time, you have bigger problems...
atheenaaar@reddit
That's wild, lower a web-based applications timeouts to give 503 response codes instead of allowing it to find a vulnreability?
smoothvibe@reddit
Shut down the DCs
Brather_Brothersome@reddit
if speed is your thing get a copy of Acunetix and let it scan if it finds something it will tell you how to fix it.
fdeyso@reddit
AppCheck is slow AF, 4-5 slower than Nessus in some cases.
Signal_Till_933@reddit
Yea hire a real pentester
CGS_Web_Designs@reddit
Is your app designed to deliver proper 404 errors when a non-existent url is requested? If you’re waiting for a timeout on those it’s gonna take way longer when a 404 is near-instantaneous.
Constant-Pear4561@reddit
Relax. Just wait. Your shit app isn’t going to save the world.
enby_dot_local@reddit
Wat