Fortify on Demand: What 8-hours of Manual Testing Can Do For Your AppSec Program

by in Security

Fortify on Demand offers application security testing as a service to help you build your security program without the extra cost of infrastructure or the need the train security professionals. Because we understand that some of your applications are high risk and critical to your business, we also offer an extra 8-hours of manual testing to further ensure your applications are secure. Before we jump into the details, let’s start from the beginning and dive into what Dynamic Application Security Testing (DAST) is, and how it fits within your business’ needs. 

What is Dynamic Application Security Testing (DAST)? 

Fortify on Demand: What 8-hours of Manual Testing Can Do to Your AppSec ProgramHere’s a simple overall definition: Dynamic Application Security Testing (DAST) is the process of analyzing a web application through the front-end to find vulnerabilities through simulated attacks before they’re deployed to the public. This type of approach evaluates the application from the “outside in” by attacking an application like a malicious user would. You can immediately test your applications without requiring access to the source code. Once the DAST scanner performs these attacks, it looks for results that are not part of the expected result set and identifies security vulnerabilities.

Why should you perform DAST?

Let’s look at the numbers: an analysis of Fortify on Demand (FoD) vulnerability data shows that 94% of over 11,000 Web applications contained bugs in security features, while code quality and API abuse issues have roughly doubled over the past four years (2019 Micro Focus Application Security Risk Report). Where would your applications fit? Within the 94%? Maybe it’s time to look into using a DAST solution. 

CyberRes Fortify WebInspect provides automated dynamic application security testing so you can scan and fix exploitable web application vulnerabilities. It complements Static Application Security Testing of source code because they identify vulnerabilities that can be detected only in a live/simulated production environment.

What does Fortify DAST offer? 

Fortify on Demand Dynamic Application Security Testing (DAST) assessments mimic real-world hacking techniques and attacks on targeted applications. It provides comprehensive security analysis of complex web applications and web services by crawling the entire attack surface to find exploitable vulnerabilities. With Fortify on Demand DAST, you can test internal applications through site-to-site VPN or whitelisting Fortify on Demand’s official data center IP addresses. 

The extra mile: Fortify on Demand Dynamic+ 

Some of your application might require extra attention, so additional manual analysis by the Fortify on Demand team becomes necessary to identify all potential vulnerabilities, particularly for applications that collect Personally identifiable information (PII) or process financial transactions. The higher the potential risk of an application breach to your business, the more manual testing and analysis may be necessary. Our Dynamic+ offering test website application and web services and include up to 8-hours of manual testing by multiple highly trained testers who focus on the most common vulnerabilities found in the OWASP top-10 and NIST lists. Some of the testing include:

Vulnerability

Risk

Manual Testing Solution

Broken authentication

Attackers can gain unauthorized access to user accounts

Check for possible weakness in authentication mechanism

Broken session management

Session hijacking can occur from the presence of session vulnerabilities

Detect session configurations that can be combined to produce account takeovers

Out-of-band SQLi or XSS

Cannot be detected by classic request-response interaction

Take well-known input attackers and craft them to test for the presence of out-of-bound vulnerabilities

Business logic

Issues in the design and implementation of the web app

Detection relies on the skills of security tester

Information disclosure

Expose additional attack surfaces and other vulnerabilities

Disclose and report any published known vulnerabilities associated with the software version

Weak access control

Authorize and allow access to resources to those who don’t need permission

Automated scanners cannot associate the changing numbers as a bypassed control

Application security might seem overwhelming, yet, it is crucial to your business, Fortify on Demand can help you start and evolve your application security program. 

 

More Information: 

Join our Fortify Community. Have technical questions about Application Security products? Visit the Fortify discussion forum.  Keep up with the latest Tips & Info about Application Security. We’d love to hear your thoughts on this blog. Log in or register to comment below.

Labels:

Application security
Anonymous