Next Generation Application Security Testing

Next Generation Application Security Testing (AST), it is nothing new, borrows the term from firewall to next generation firewall (NGFW), so here the term Next Generation Application Security Testing (NGAST). For those involved in the application security testing (AST) for 10 years or more, will know that, technology keeps advancing and various mega technology from outside and related keep shaping for the AST what consider be the technology and use case for. From the standard norm in the very beginning, it involved two heavy use application security testing (AST) approaches, address development and security.

This is where the two major mainstream at that time invented , static application security testing (SAST) to address development department and developer need and requirement for guide and perform secure code scanning, whether for entire team project or plugin into developer Integrated Development Environment (IDE) to trigger scanning while they are still programming and writing their application code. This is the most cost effective solution because it deals with the application code program and vulnerability in the very early of the application development lifecycle. The more secure and quality of the code being produced, the less likely to be involved in fixing and maintaining them.

Another approach is the target security department who is involved in just testing dynamic or black box for attempts to find out if any vulnerabilities exist during security assurance (SA) or production phase.  Since here do not involve source code, this is why usually is used the term black box testing. Static application security testing (SAST) also known as whitebox testing. Sometimes the vulnerability will be false positive, or not generated by the application, but the platform they are hosted, such as from the operating system, web server, programming platform and database, or even the secure transport technology for the encrypted secure traffic SSL/TLS. This is why usually for black box testing will be on top of dynamic application security testing (DAST) product, will need to add one more reliable tool for host vulnerability scanning for the system and services that is running, more on signature matching for whether running any exploitable version of discoverable and public known vulnerabilities.

With the trend keep moving forward, and where the framework is becoming more and more mature and secured, so did DAST, in particular for those who are purely make use of automated dynamic application security testing (DAST) tool that do not involved know how to perform manual dynamic application security testing will found it difficult to demonstrate and found vulnerabilities like previous, because all the framework and platform developer already enhanced their own product and more it more secure than previous. So, for those in the past depend on automated web scanner make use of automated dynamic application security testing that do not know the limit for such a technology and know how to complement it with the manual, depth and interactive complex testing to testing and discover vulnerabilities from those area automated DAST do not covered, and usually will end up in the disaster, because they are still living in the dream state for the false understanding and really know about in the real life, external hacker do not make use of automated DAST tool to perform any hacking, that use by enterprise to perform routine and schedule continuity scanning to make sure for a quick check for most of the area can be automated test by the script. For areas that are not and are not able to be cover by the script, it still the area you need to be testing manually to make sure for complete cover your enterprise application being hackable by you exploit them one time for your developer, whether from the web client security control manipulation and bypass, to privilege escalation etc.

For those closely follow Gartner Application Security Testing (AST) Magic Gartner report year after year will know the criteria had shift toward DevSecOps and for those who possess dual engine to perform DAST and SAST,  if you read and involved in the industry long enough, it did detect the right trend that emerging and fully aware for the limitation for solo DAST, or SAST and the need for the DevSecOps integration.

As a general recommendation for those who are still in rely on the automated DAST alone and do not even willing to spend the time to study how to perform manual testing to cover area automated DAST is missing, or shift left to learn SAST, it is wake up moment, under DevSecOps, it is automated process, developer can be trigger automated DAST without ever involved security, and the pure automated DAST scan result it just do not meet the modern DevSecOps and developer requirements, and you did need to demonstrate your value added to your enterprise by at least capable to perform value added activities such as perform complementary to automated DAST scanning result by address those area automated DAST can not be cover to provide security assurance to your development team and enterprise.

E-SPIN Group being involved in the application security testing (AST) end to end, from Dynamic, static, interactive, mobile and manual, as well as infrastructure, server and system security testing for enterprise ICT requirements for multinational corporations and government agencies, since 2005. Feel free to contact E-SPIN Group for your various requirements to invest in the right solution for your enterprise needs to modernize and add new capability that your existing tool is mis or unable to address.