SIGN IN YOUR ACCOUNT TO HAVE ACCESS TO DIFFERENT FEATURES

FORGOT YOUR PASSWORD?

FORGOT YOUR DETAILS?

AAH, WAIT, I REMEMBER NOW!
Need Help? Email [email protected]
  • LOGIN

E-SPIN Group

CONTACT US / GET A QUOTE
  • No products in cart.
  • HOME
  • PROFILE
    • Corporate Profile
    • About us
    • Customer Overview
    • Case Studies
    • Investor Relations
    • Procurement
  • GLOBAL THEMES
    • Artificial Intelligence (AI)
    • Big Data
    • Blockchain
    • Cloud Computing
    • Cognitive Computing
    • Cyber Security
    • DevSecOps
    • Digital Transformation (DT)
    • Modern Workplace
    • Internet of Things (IoT)
    • Quantum Computing
    • More theme and feature topics
  • SOLUTIONS
    • Application Lifecycle Management (ALM), DevSecOps/VSM, Application Security
      • Application Security
      • DevSecOps
      • Digital Forensics
      • Secure Development
    • Cybersecurity, Governance Risk Compliance (GRC) and Resiliency
      • Governance, Risk Management and Compliance (GRC)
      • Malware Analysis and Reverse Engineering
      • Security Information & Event Management (SIEM)
      • Security Configuration Management (SCM)
      • Threat, Risk and Vulnerability Management
      • Penetration Testing and Ethical Hacking
    • Modern Infrastructure, NetOps
      • Network Performance Monitoring and Diagnostics (NPMD)
      • IT Operations Management (ITOM)
      • Network Operation (NetOps)
      • Network Management System (NMS)
    • Modern Workspace & Future of Work
      • Digital Workspace
      • End User Computing (EUC)
      • Securing Hybrid Workforce
      • Unified Endpoint Management (UEM)
      • User Activity Monitoring (UAM)
  • INDUSTRIES
    • Aerospace & Defense
    • Automotive
    • Banking & Financial Markets
    • Chemical & Petroleum
    • Commercial and Professional Services
    • Construction & Real Estate
    • Consumer Products
    • Education
    • Electronics
    • Energy & Utilities
    • Food & Beverage
    • Information Technology
    • Insurance
    • Healthcare
    • Goverment
    • Telecommunications
    • Transportation
    • Travel
    • Manufacturing
    • Media & Entertainment
    • Mining & Natural Resources
    • Life Sciences
    • Retail
  • PRODUCTS
    • Hidden Menu
      • Brand Overview
      • Services Overview
      • E-SPIN Product Line Card
      • E-SPIN Ecosystem World Solution Portfolio Overview
      • GitLab (DevOps, DevSecOps, VSM)
      • Hex-Rays (IDA Pro, Hex-Rays Decompiler)
      • Immunity (Canvas, Silica, Innuendo)
      • Parasoft (automated software testing, AppSec)
      • Tenable (Enterprise Vulnerability Management)
      • Veracode (Application Security Testing)
    • Cybersecurity, App Lifecycle, AppSec Management
      • Cerbero Labs (Cerbero Suite)
      • Core Security (Core Impact, Cobalt Strike)
      • HCL (AppScan, BigFix)
      • Invicti (Acunetix, Netsparker)
      • ImmuniWeb
      • UBsecure (Vex)
      • Portswigger (Burp Suite Pro, Burp Suite Enterprise)
      • Titania (Nipper Studio)
      • TSFactory (User Activity Monitoring)
    • Infrastructure, Network, Wireless, Cloud Management
      • Metageek (Wi-Spy, Chanalyzer, Eye P.A.)
      • Progress (WhatsUp Gold, WS_FTP, MOVEit MFT)
      • Paessler
      • Solarwinds (IT Management)
      • TamoSoft (wireless site survey)
      • Visiwave (wireless site survey, traffic analysis)
      • VMware (Virtualization, cloud mgt, Digital Workspace)
    • Platform products
      • Adobe (Digital Media Creation)
      • Micro Focus
      • Microsoft
      • Red Hat (Enterprise Linux, OpenStack, OpenShift, Ansible,JBoss)
      • SecHard
      • SUSE (Enterprise Linux, Rancher)
      • Show All The Brands and Products (Full)
  • e-STORE
    • e-STORE
    • eSTORE Guide
    • SUPPORT
  • CAREERS
    • Culture, Values and CSR
    • How We Hire
    • Job Openings
  • BLOG / NEWS
    • Blogs and News
    • Resources Library
    • Calendar of Events
  • CONTACT
  • Home
  • Solution
  • Application Security Testing (AST) Guideline
Retina CS Management Console
0
E-SPIN
Wednesday, 14 November 2018 / Published in Solution

Application Security Testing (AST) Guideline

Let get real, 85% of enterprise security breaches is done thru exploit vulnerabilities at the application layer. But we see still had lot of people heavy invest in network security, but ignore to allocate investment into the most important portion – application security. With the extensive range of application security testing (AST) guideline tools in the market.

They have lot of different technology they claim to be able to solve, confuse most of the IT leaders, developers, engineers, analysts which technology and tools is use for address what, in particular so for people who are not in the industry for 10 years or over, very easy to be manipulating by the various commercial advertisement and claim vendor product are best of the best, or their are the best to use for your enterprise problem in hand.

So, let get start for navigating all the technologies under this field of domain.

First of all, you need to be understood, no matters how advance for the system and tools you invest, it do not had such things as 100% false positive free, as even you are hiring the most expert application pen tester, it will miss one or two, in particular in the industry, application tester do not really expert on. The purpose for enterprise to invest in application security testing (AST) tool or advanced system is to reduce the risk in applications, but cannot completely eliminate it (since it can be user introduce risk, using simple password, share password, or other 3rd party system that link cause the breach and so on).

In industry had the regulatory compliance, used of application security testing (AST) is mandated for regulatory compliance. It also widely use by internal or external consultant or auditor use for perform application security testing audit or developer use for perform quality assurance (QA) prior roll out the application into production.

New vulnerability is introduce daily, manual application security testing (AST) and assessment or audit without using updated tools is time consuming, and most likely ending in testing with no up to date tools and system result in false perceived secured. For large enterprise with volume of application, without using some sort of application security testing (AST) tool or system is just impossible for them to complete their work, task and duty on time.

No matter what the word vendor using to make their product look special and unique, it eventually fall under the offer within this application security testing (AST) Tools Pyramid (See screenshot below).

To avoid being too much bias or prefer over which vendor technologies, we use the most acceptable category for those tools definition.

For each of the vendor product offering, sometime they are no clearly divide the boundaries or it can be generic enough to cover the most, or be specialise in one domain but provide advance and extensive coverage.

Dynamic Application Security Testing (DAST)

DAST tools common refer as black-hat or black-box testing tool, where the tester has no prior knowledge of the system. Or being supplied with credentials for perform credential based testing beyond surface (non credential testing). It is the most common use tool by IT security, auditor where in compare SAST is more common use by Developer. DAST tools perform runtime test on operating code to detect issues with interfaces, requests, responses, scripting, data injection, session hijacking, authentication by pass and form by passing and more. DAST tool employ fuzzing, supply invalid and unexpected test cases at an application to test for buffer overflow as well.

Static Application Security Testing (SAST)

SAST tools or sometime interchange with the keyword of white-hat or white box testing, where the tester or analyst or developer knows information about the system or application being tested, including an architecture diagram, access to source code, etc. In brief, SAST tools examines source code (at rest) and attempt to detect and report weaknesses that can lead to security vulnerabilities. Source code analyser that run on non-compiled code to check for defects that using install in the developer IDE (integrated development environment) such as Microsoft Visual Studio, Java Eclipse etc. So developer once complete write the program code, it can scan the page to make the quick check to make sure it correct the problem in the very beginning of the application cycle.

Origin Analysis/Software Composition Analysis (SCA)

For most of time, we can imagine, developer will not develop anything by their own, the may purchase or make use of 3rd party or open-source components and integrate into the system. Sometime, the real concern is those 3rd party component that most likely you do not had source code but embed into your application. SCA tools are use to found common and popular libraries and components, particular open-source pieces. They work by comparing known modules found in code to a list of known vulnerabilities, ie reputation check. If SCA tools find components that have known and documented vulnerabilities will be advise if components are out of date or have patches available. They do not, however, detect vulnerabilities for in-house custom developed components. For cases that require to x-ray those custom develop module without source code, commonly will make use of binary SAST, basically it will reversing the binary and then examine inside the code. To make this comparison, almost all SCA tools use the NIST National Vulnerability Database Common Vulnerabilities and Exposures (CVEs) as a source for known vulnerabilities. Many commercial SCA products also use the VulnDB commercial vulnerability database as a source, as well as some other public and proprietary sources. SCA tools can run on source code, byte code, binary code, or some combination.

Interactive Application Security Testing (IAST) and Hybrid Tools

Hybrid approaches have been available for a long time, but more recently have been categorized and discussed using the term IAST. IAST tools use a combination of static and dynamic analysis techniques. They can test whether known vulnerabilities in code are actually exploitable in the running application.

IAST tools use knowledge of application flow and data flow to create advanced attack scenarios and use dynamic analysis results recursively: as a dynamic scan is being performed, the tool will learn things about the application based on how it responds to test cases. Some tools will use this knowledge to create additional test cases, which then could yield more knowledge for more test cases and so on. IAST tools are adept at reducing the number of false positives, and work well in Agile and DevOps environments where traditional stand-alone DAST and SAST tools can be too time intensive for the development cycle.

Depend on the actual use case and budget allocation, it can be SAST and DAST integrated result, make use of the best from the both tool, or generic develop IAST case provide basis coverage for the both.

Database Security Scanning

Database itself as application. For enterprise application, it common to deploy and make use of database security scanner to perform the database vulnerability scan, as well as user right review. Database-security-scanning tools check for updated patches and versions, weak passwords, configuration errors, access control list (ACL) issues, and more. Some tools can mine logs looking for irregular patterns or actions, such as excessive administrative actions. Database scanners generally run on the static data that is at rest while the database-management system is operating. Some scanners can monitor data that is in transit, ie Database activity monitoring (DAM).

Mobile Application Security Testing (Mobile AST)

It being widely develop since first smartphone being market. Mobile AST Tools are a blend of static, dynamic, and forensics analysis. They perform some of the same functions as traditional static and dynamic analyzers but enable mobile code to be run through many of those analyzers as well. Mobile AST tools have specialized features that focus on issues specific to mobile applications, such as jail-breaking or rooting of the device, spoofed WI-FI connections, handling and validation of certificates, prevention of data leakage, and more.

Application Security Testing as a Service (ASTaaS)

No all customer will found it worth to invest in all the tools and system, and hire then train the employee to perform the required AST, in particular for one off, ad hoc or project on demand basis. Outsourced and appointed industry expert who know how to use the AST tools and pay them as service is widely adopted business practice. It also suitable for case require 3rd party testing and generate independent report for regulatory compliance purpose.

Correlation Tools

For large and global corporation dealing with global scale application. Dealing with false positives is a big issue in application security testing (AST). AST Correlation tools can help reduce some of the noise by providing a central repository for findings from others AST tools. The purpose is to consolidated all the tools report and findings into single reporting platform, from there for all team work together and marking false positive, prioritise which vulnerability to be act on, assign for who, what the status for tracking etc. It will usually include validation, like allow export vulnerability to be testing with exploitation, penetration testing tool and framework to validate whether it indeed serious vulnerability. Obviously, this type of tools is no for everyone, it is for big team and division, department and unit for complex vulnerability tracking require consolidated dashboard use case and context.

Test-Coverage Analyzers

Test-coverage analyzers measure how much of the total program code has been analyzed. The results can be presented in terms of statement coverage (percentage of lines of code tested) or branch coverage (percentage of available paths tested), or unit code coverage (useful for complex and large scale application development and testing).

For large applications, acceptable levels of coverage can be determined in advance and then compared to the results produced by test-coverage analyzers to accelerate the testing-and-release process. These tools can also detect if particular lines of code or branches of logic are not actually able to be reached during program execution, which is inefficient and a potential security concern. Some SAST tools incorporate this functionality into their products, but standalone products also exist.

Since the functionality of analyzing coverage is being incorporated into some of the other AST tool types, standalone coverage analyzers are mainly for niche use. In most of the cases, it main use by developer, business analyst and project owner who require to keep track for the application development, include code security coverage.

Application Security Testing Orchestration (ASTO)

ASTO integrates security tooling across a software development lifecycle (SDLC). While the term ASTO is newly coined by Gartner since this is an emerging field, there are tools that have been doing ASTO already, mainly those created by correlation-tool vendors. The idea of ASTO is to have central, coordinated management and reporting of all the different AST tools running in an ecosystem. It is still too early to know if the term and product lines will endure, but as automated testing becomes more ubiquitous, ASTO does fill a need. This is class for those who look for DevSecOps (old term DevOps),  continuous integration and continuous delivery (CI/CD) systems workflow.

E-SPIN being active in the application security testing (AST) market since 2005, deliver extensive range for project to national scale requirements for the various AST tools and systems, include the hardware, related and complementary software and services, such as product training and system maintenance support. Feel free to contact E-SPIN for your operation or project requirements.

 

Tagged under: Application Security Testing (AST)

What you can read next

Cognitive Predictive Maintenance (CPdM) in Transportation
Cognitive Predictive Maintenance (CPdM) in Transportation
Mobile Application Security Assessment Service Overview by E-SPIN
Mobile Application Security Assessment Service Overview by E-SPIN
Retina CS Technical Overview by E-SPIN, Main aspects of the General Data Protection Regulation
Network Discovery & Mapping Benefits

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Identity and Access Management (IAM) in Securing Digital Identities and Beyond

    The complexity in securing digital identities h...
  • 5 Things Your ISMS Needs to Be Effective

    IGA solutions in providing better security and governance in the age of digital transformation

    Digital transformation has become a big buzzwor...
  • Red Hat Ansible Automation Platform Product Overview Webinar

    Red Hat Ansible Automation Platform Product Ove...
  • E-SPIN Seasonal Greeting Happy Ramadan

    E-SPIN Group would like to take this season gre...
  • Cybersecurity Automation and Integration

    Passwordless Authentication: A Pathway to Improved Cybersecurity

    As technology continues to advance and digital ...

Recent Comments

  • JEAN ARIANE H. EVANGELISTA on E-SPIN Wishes all Filipino Araw ng Kagitingan 2022
  • Ira Camille Arellano on E-SPIN Wishes all Filipino Araw ng Kagitingan 2022
  • NKIRU OKEKE on Top 5 Challenges in the Consumer Products Industry
  • Md Abul Quashem on Types of Online Banking or E-Banking
  • Atalay marie on What is Cybersecurity Mesh ?

Archives

  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • March 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • January 2015
  • December 2014
  • October 2014
  • September 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • February 2012
  • July 2011
  • June 2011

Categories

  • Acunetix
  • Adobe
  • Aerospace and Defence
  • AppSec Labs
  • Automotive
  • Banking and Financial Markets
  • Brand
  • Case Studies
  • Cerbero Labs
  • Chemical and petroleum
  • Codified Security
  • Commercial and Professional Services
  • Construction and Real Estate
  • Consumer products
  • Contact Us
  • Core Impact
  • Core Security
  • DBeaver
  • DefenseCode
  • DSquare Security
  • DSquare Security
  • E-Lock
  • Education
  • Electronics
  • Energy and utilities
  • Excelledia
  • FAQ
  • Food and Beverage (F&B)
  • GFI
  • GitLab
  • Global Themes and Feature Topics
  • Government
  • HCL
  • Healthcare
  • Hex-Rays
  • IBM
  • Immunity
  • ImmuniWeb
  • Industries
  • Information Technology
  • Insurance
  • Invicti
  • Ipswitch
  • Isorobot
  • JetBrains
  • Job
  • Life Science
  • LiveAction
  • Magnet forensics
  • Manufacturing
  • McAfee
  • Media and Entertainment
  • Metageek
  • Micro Focus
  • Microsoft
  • Mining and Natural Resources
  • Nessus
  • Netsparker
  • News
  • Nutanix
  • Paessler
  • Parasoft
  • PortSwigger
  • Pradeo
  • Product
  • Progress
  • Rapid7
  • RedHat
  • Retail
  • Retina
  • Riverbed
  • RSA
  • SecHard
  • Security Innovation
  • Security Roots
  • Services
  • SILICA
  • Soft Activity
  • SolarWinds
  • Solution
  • SUSE
  • Symantec
  • TamoSoft
  • Telecommunications
  • Tenable
  • Titania
  • Transportation
  • Travel
  • Trend Micro
  • Trustwave
  • TSFactory
  • UBsecure
  • Uncategorized
  • Vandyke
  • Veracode
  • Videos
  • VisiWave
  • VMware
  • Webinar Archive

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

CORPORATE

  • Profile
  • About us
  • Investor Relations
  • Procurement

SOLUTIONS & PRODUCTS

  • Industries
  • Solutions
  • Products
  • Brand Overview
  • Services
  • Case Studies

STORE & SUPPORT

  • Shop
  • Cart
  • Checkout
  • My Account
  • Support

PRODUCTS & SERVICES

  • Industries
  • Solutions
  • Products
  • Brand Overview
  • Services
  • Case Studies

FOLLOW US

  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn
  • YouTube
  • WordPress Blog
© 2005 - 2022 E-SPIN Group of Companies | All rights reserved.
E-SPIN refers to the global organisation, and may refer to one or more of the member firms of E-SPIN Group of Companies, each of which is a separate legal entity.
  • Contact
  • Privacy
  • Terms of use
TOP