Application security is an essential piece of a cybersecurity defense that includes security information and event management (SIEM) systems and data security. If you’re fairly new to AppSec, there are several methods in which you should be aware. Each has its advantages, and best results come from using them together.
- Static application security testing (SAST) tools are the front line of secure code development. SAST tools scan source code to find known patterns of weaknesses which lead to vulnerabilities. Think of these tools as the first step in weeding out most vulnerabilities. SAST tools are ideally integrated with the developer’s integrated development environment (IDE) to detect known vulnerabilities prior to code commit. Most SAST tools support the major web languages, Java and .Net. Static tools generally also support some form of C, C++, or C#. In addition to integrating with the developer’s IDE, the tools should be able to support your DevOps team’s software delivery and integration pipeline. Static tools should be run as often as practical to provide feedback directly to the developer, allowing managers and the security team to monitor the progress of developers in eliminating security defects.
- Dynamic application security testing (DAST) tools run against compiled, or production, code to test for known vulnerabilities in the runtime environment. Also known as “black-box testing,” dynamic analysis can locate various types of vulnerabilities in running applications. In most cases, organizations should run both dynamic and static testing: Static analysis tools give developers feedback and educate them at the same time, while dynamic analysis tools can give security teams a quick win by immediately pinpointing exploitable vulnerabilities in either production or pre-production environments.
- Interactive application security testing (IAST) tools perform what is often called “glass-box” testing. IAST is designed to catch attacks that the other approaches cannot by running an agent that collects event data from running applications. Either by installing software agents on an application server, or by instrumenting the application at development time, interactive analysis techniques allow the collection of data on application and security events in pre-production environments.
- Run time application self-protection (RASP) tools work “inside” an application’s runtime environment to detect changes that may indicate an attack is under way. RASP may be effective for legacy applications, for which modifying the source code to fix vulnerabilities may not be an option. RASP tools are often used in combination with a web application firewall (WAF) guarding the perimeter of the runtime environment, while the RASP tool runs inside the runtime production environment itself. For more modern applications, that environment can include the VM or the container in which an application and its various components and APIs reside.
- Web application firewalls (WAF) detect intrusions at the perimeter of an application server’s network. WAFs are signature based devices, meaning that they apply “a set of rules to an HTTP conversation,” as described on the OWASP website. “Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.”
- Software composition analysis (SCA) dissects all of the foundational units of code that comprise a shippable application. SCA is growing increasingly popular, given the wide use of open source components as part of an app’s composition.
- Penetration testing (pen test) tools assess app vulnerability by mimicking the hacks that attackers would attempt on a live application. Which means, essentially, that “pen testing” is a form of dynamic analysis. Pen testing is often considered more thorough than DAST, because it is not just an automatic test. It benefits from being a combination of automated tests, customized scripts, and manual tests run by humans. It’s able to find business logic flows which normally automatic tools are not designed to find. Penetration testing will always have a place in the secure development lifecycle.
- SaaS-based application security testing services is one of the fastest growing markets for AppSec testing. Users can use a hybrid approach that includes both on premise and as-a-service to help achieve scaling and compliance needs.
- Mobile security testing: Mobile testing consists of static code analysis for mobile application source code, customized dynamic testing methods for compiled mobile apps (such as fuzzing) and testing of the server backend/services. The Mobile Vulnerabilities Security Verification Standard from OWASP (MVSVS) provides a good model to govern the verification needs for mobile apps.
If I were to pick my top takeaways from this, I’d say:
- Scanning source code (SAST) is essential, and the ideal tools cover a variety of programming languages.
- Dynamic scanning is complementary to static scanning...regardless of which you start with (SAST or DAST), mature AppSec programs utilize both approaches.
This is part of a blog series pulling out some of the insights from The 2019 TechBeacon Buyer’s Guide to Application Security. Check out the report and share your feedback below.
About Micro Focus Fortify.
Fortify offers end-to-end application security solutions with the flexibility of testing on-premises and on-demand to cover the entire software development lifecycle. Complete software security assurance with Fortify on Demand -our application security as a service - integrates static, dynamic and mobile AppSec testing with continuous monitoring for web apps in production.