Let get real, 85% of enterprise security breaches is done thru exploit vulnerabilities at the application layer. But we see still had lot of people heavy invest in network security, but ignore to allocate investment into the most important portion – application security. With the extensive range of application security testing (AST) guideline tools in the market.
They have lot of different technology they claim to be able to solve, confuse most of the IT leaders, developers, engineers, analysts which technology and tools is use for address what, in particular so for people who are not in the industry for 10 years or over, very easy to be manipulating by the various commercial advertisement and claim vendor product are best of the best, or their are the best to use for your enterprise problem in hand.
So, let get start for navigating all the technologies under this field of domain.
First of all, you need to be understood, no matters how advance for the system and tools you invest, it do not had such things as 100% false positive free, as even you are hiring the most expert application pen tester, it will miss one or two, in particular in the industry, application tester do not really expert on. The purpose for enterprise to invest in application security testing (AST) tool or advanced system is to reduce the risk in applications, but cannot completely eliminate it (since it can be user introduce risk, using simple password, share password, or other 3rd party system that link cause the breach and so on).
In industry had the regulatory compliance, used of application security testing (AST) is mandated for regulatory compliance. It also widely use by internal or external consultant or auditor use for perform application security testing audit or developer use for perform quality assurance (QA) prior roll out the application into production.
New vulnerability is introduce daily, manual application security testing (AST) and assessment or audit without using updated tools is time consuming, and most likely ending in testing with no up to date tools and system result in false perceived secured. For large enterprise with volume of application, without using some sort of application security testing (AST) tool or system is just impossible for them to complete their work, task and duty on time.
No matter what the word vendor using to make their product look special and unique, it eventually fall under the offer within this application security testing (AST) Tools Pyramid (See screenshot below).
To avoid being too much bias or prefer over which vendor technologies, we use the most acceptable category for those tools definition.
For each of the vendor product offering, sometime they are no clearly divide the boundaries or it can be generic enough to cover the most, or be specialise in one domain but provide advance and extensive coverage.
DAST tools common refer as black-hat or black-box testing tool, where the tester has no prior knowledge of the system. Or being supplied with credentials for perform credential based testing beyond surface (non credential testing). It is the most common use tool by IT security, auditor where in compare SAST is more common use by Developer. DAST tools perform runtime test on operating code to detect issues with interfaces, requests, responses, scripting, data injection, session hijacking, authentication by pass and form by passing and more. DAST tool employ fuzzing, supply invalid and unexpected test cases at an application to test for buffer overflow as well.
SAST tools or sometime interchange with the keyword of white-hat or white box testing, where the tester or analyst or developer knows information about the system or application being tested, including an architecture diagram, access to source code, etc. In brief, SAST tools examines source code (at rest) and attempt to detect and report weaknesses that can lead to security vulnerabilities. Source code analyser that run on non-compiled code to check for defects that using install in the developer IDE (integrated development environment) such as Microsoft Visual Studio, Java Eclipse etc. So developer once complete write the program code, it can scan the page to make the quick check to make sure it correct the problem in the very beginning of the application cycle.
For most of time, we can imagine, developer will not develop anything by their own, the may purchase or make use of 3rd party or open-source components and integrate into the system. Sometime, the real concern is those 3rd party component that most likely you do not had source code but embed into your application. SCA tools are use to found common and popular libraries and components, particular open-source pieces. They work by comparing known modules found in code to a list of known vulnerabilities, ie reputation check. If SCA tools find components that have known and documented vulnerabilities will be advise if components are out of date or have patches available. They do not, however, detect vulnerabilities for in-house custom developed components. For cases that require to x-ray those custom develop module without source code, commonly will make use of binary SAST, basically it will reversing the binary and then examine inside the code. To make this comparison, almost all SCA tools use the NIST National Vulnerability Database Common Vulnerabilities and Exposures (CVEs) as a source for known vulnerabilities. Many commercial SCA products also use the VulnDB commercial vulnerability database as a source, as well as some other public and proprietary sources. SCA tools can run on source code, byte code, binary code, or some combination.
Hybrid approaches have been available for a long time, but more recently have been categorized and discussed using the term IAST. IAST tools use a combination of static and dynamic analysis techniques. They can test whether known vulnerabilities in code are actually exploitable in the running application.
IAST tools use knowledge of application flow and data flow to create advanced attack scenarios and use dynamic analysis results recursively: as a dynamic scan is being performed, the tool will learn things about the application based on how it responds to test cases. Some tools will use this knowledge to create additional test cases, which then could yield more knowledge for more test cases and so on. IAST tools are adept at reducing the number of false positives, and work well in Agile and DevOps environments where traditional stand-alone DAST and SAST tools can be too time intensive for the development cycle.
Depend on the actual use case and budget allocation, it can be SAST and DAST integrated result, make use of the best from the both tool, or generic develop IAST case provide basis coverage for the both.
Database itself as application. For enterprise application, it common to deploy and make use of database security scanner to perform the database vulnerability scan, as well as user right review. Database-security-scanning tools check for updated patches and versions, weak passwords, configuration errors, access control list (ACL) issues, and more. Some tools can mine logs looking for irregular patterns or actions, such as excessive administrative actions. Database scanners generally run on the static data that is at rest while the database-management system is operating. Some scanners can monitor data that is in transit, ie Database activity monitoring (DAM).
It being widely develop since first smartphone being market. Mobile AST Tools are a blend of static, dynamic, and forensics analysis. They perform some of the same functions as traditional static and dynamic analyzers but enable mobile code to be run through many of those analyzers as well. Mobile AST tools have specialized features that focus on issues specific to mobile applications, such as jail-breaking or rooting of the device, spoofed WI-FI connections, handling and validation of certificates, prevention of data leakage, and more.
No all customer will found it worth to invest in all the tools and system, and hire then train the employee to perform the required AST, in particular for one off, ad hoc or project on demand basis. Outsourced and appointed industry expert who know how to use the AST tools and pay them as service is widely adopted business practice. It also suitable for case require 3rd party testing and generate independent report for regulatory compliance purpose.
For large and global corporation dealing with global scale application. Dealing with false positives is a big issue in application security testing (AST). AST Correlation tools can help reduce some of the noise by providing a central repository for findings from others AST tools. The purpose is to consolidated all the tools report and findings into single reporting platform, from there for all team work together and marking false positive, prioritise which vulnerability to be act on, assign for who, what the status for tracking etc. It will usually include validation, like allow export vulnerability to be testing with exploitation, penetration testing tool and framework to validate whether it indeed serious vulnerability. Obviously, this type of tools is no for everyone, it is for big team and division, department and unit for complex vulnerability tracking require consolidated dashboard use case and context.
Test-coverage analyzers measure how much of the total program code has been analyzed. The results can be presented in terms of statement coverage (percentage of lines of code tested) or branch coverage (percentage of available paths tested), or unit code coverage (useful for complex and large scale application development and testing).
For large applications, acceptable levels of coverage can be determined in advance and then compared to the results produced by test-coverage analyzers to accelerate the testing-and-release process. These tools can also detect if particular lines of code or branches of logic are not actually able to be reached during program execution, which is inefficient and a potential security concern. Some SAST tools incorporate this functionality into their products, but standalone products also exist.
Since the functionality of analyzing coverage is being incorporated into some of the other AST tool types, standalone coverage analyzers are mainly for niche use. In most of the cases, it main use by developer, business analyst and project owner who require to keep track for the application development, include code security coverage.
ASTO integrates security tooling across a software development lifecycle (SDLC). While the term ASTO is newly coined by Gartner since this is an emerging field, there are tools that have been doing ASTO already, mainly those created by correlation-tool vendors. The idea of ASTO is to have central, coordinated management and reporting of all the different AST tools running in an ecosystem. It is still too early to know if the term and product lines will endure, but as automated testing becomes more ubiquitous, ASTO does fill a need. This is class for those who look for DevSecOps (old term DevOps), continuous integration and continuous delivery (CI/CD) systems workflow.
E-SPIN being active in the application security testing (AST) market since 2005, deliver extensive range for project to national scale requirements for the various AST tools and systems, include the hardware, related and complementary software and services, such as product training and system maintenance support. Feel free to contact E-SPIN for your operation or project requirements.
