Application Security Test

Security testing is growing faster than any other security market, as AST (Application Security Testing) solutions adapt to new development methodologies and increased application complexity. AST’s tools are one of the cornerstones of any application security practice.

We believe that applications must be secure from the outset, and therefore advocate that developers take an active role in AppSec. Most of all reported software violations are notable for the exploitation of vulnerabilities in the application layer.

The main motivation for using the AST tools is that manual code reviews and traditional test plans are time-consuming and new vulnerabilities are continuously being introduced or discovered. In many domains (such as PCI-DSS), there are regulatory and compliance policies that mandate the use of AST tools.

There are several types of AST at the present time:

The Static AST (SAST) technology

It analyzes the source of the application, byte code or binary code to detect security vulnerabilities, usually in the programming and/or testing phases of the software development life cycle (SDLC).

SAST tools can be considered as White-Hat or White-Box testing, where the tester knows information about the system or software being tested, including an architecture diagram, access to source code, etc.

SAST tools examine the source code (at rest) to detect and report weaknesses that may lead to security vulnerabilities. Source code analyzers can be run on uncompiled code to verify defects such as numerical errors, input validation, running conditions, route paths, pointers and references, and more.

Binary and byte code analyzers do the same in built and compiled code. Some tools run only in the source code, some run only in the compiled code, and some run in both.

Dynamic AST (DAST) technology

It analyzes the applications in their dynamic state of execution during the test or operation phases. Simulates attacks against an application (usually web-enabled applications and services) and analyzes the reactions of the application to determine if it is vulnerable.

Unlike SAST tools, DAST tools can be considered as Black-Hat or Black-Box testing, where the tester has no prior knowledge of the system. They detect conditions that indicate a security vulnerability in an application in its running state.

DAST tools are executed in the operating code to detect problems with interfaces, requests, responses, scripting, data injection, sessions, authentication, and more. DAST tools employ fuzzing-throwing known, invalid, and unexpected test cases at an application, often in high volume.

The Interactive AST Technology (IAST)

Together with Hybrid Tools they combine internal and external observation of a running application being tested with DAST simultaneously. It is typically deployed as an agent within the test runtime environment (e.g., implementing the Java Virtual Machine [JVM] or .NET CLR) that observes operations or attacks from within the application and identifies vulnerabilities.

Hybrid approaches have been available for a long time, but more recently have been categorized and discussed using the term IAST. IAST tools use a combination of static and dynamic analysis techniques. They can test whether known vulnerabilities in the code are actually exploitable in the running application.

IAST tools use knowledge of the application’s flow and data flow to create advanced attack scenarios and use the results of the dynamic analysis in a recursive fashion: as a dynamic analysis is performed, the tool will learn things about the application based on how it responds to test cases.

Some tools will use this knowledge to create additional test cases, which could then generate more knowledge for more test cases and so on. IAST tools are adept at reducing the number of false positives, and work well in Agile and DevOps environments where traditional stand-alone DAST and SAST tools may require too much time for the development cycle.

Mobile Application Security Testing (MAST)

They combine traditional static and dynamic testing techniques to discover security vulnerabilities in iOS and Android applications and the corresponding back-end components. MAST tools are a combination of static, dynamic and forensic analysis.

They perform some of the same functions as traditional static and dynamic scanners, but allow mobile code to be run on many of these scanners as well. MAST tools have specialized features that focus on problems specific to mobile applications, such as device unlocking or rooting, forged WI-FI connections, certificate handling and validation, data leakage prevention and more.

Some AST suppliers have also started to offer:

RASP

It means, Run-time Application Security Protection. This technology takes advantage of the principles of IAST instrumentation to offer a protection solution that competes with WAF. Most computers start by testing the instrumentation in IAST (non-blocking) mode, and once they are comfortable, move into RASP (full blocking mode).

SCA

(Software composition analysis; a technology used to identify open source and third party components in use in an application and their known security vulnerabilities). SCA tools examine the software to determine the sources of all components and libraries within the software.

These tools are highly effective in identifying and finding vulnerabilities in common and popular components, particularly in open source components. However, they do not detect vulnerabilities for components developed by the company itself.

SCA tools are more effective at finding common and popular libraries and components, particularly open source parts. They work by comparing known modules found in the code with a list of known vulnerabilities.

SCA tools find components that have known and documented vulnerabilities and will often warn you if the components are out-of-date or have patches available. For this comparison, almost all SCA tools use the Common Vulnerabilities and Exposures (CVE) from NIST’s National Vulnerability Database as a source of known vulnerabilities.

Many commercial SCA products also use the commercial VulnDB as a source, as well as other public and proprietary sources. SCA tools may run in source code, byte code, binary code, or some combination.

Application Discovery

This is an ability to analyze a company’s web ecosystem and detect all web applications. Often, it discovers a substantial number of applications that companies do not use and have forgotten about, yet still provide a gateway to the business.

Database security analysis

Although databases are not always considered part of an application, application developers often rely heavily on them, and applications can affect them significantly.

Database security scanning tools check for patches and upgrades, weak passwords, configuration errors, access control list (ACL) issues, and more. Database scanners generally run on static data that is at rest while the database management system is running. Some scanners can monitor data that is in transit.

Application Security Testing as a Service (ASTaaS)

As the name suggests, an external company performs security tests on your application. The service will usually be a combination of static and dynamic analysis, penetration testing, application programming interface (API) testing, risk assessments etc. The impetus for using ASTaaS comes from the use of cloud applications, where testing resources are easier to gather.

Correlation tools

Dealing with false positives is a big problem in application security testing. Correlation tools can help reduce some of the noise by providing a central repository for the findings of other AST tools. Different HTA tools will have different results, so correlation tools relate to and analyze the findings of different HTA tools and help validate and prioritize findings, including remediation workflows.

Test Coverage Analysers

Test coverage analyzers measure the proportion of the total program code that has been analyzed. Results can be presented in terms of statement coverage (percentage of code lines tested) or branch coverage (percentage of available routes tested).

For large applications, acceptable coverage levels can be determined in advance and then compared to the results produced by the test coverage analyzers to speed up the testing and release process. These tools can also detect if certain lines of code or branches of logic cannot be reached during program execution, which is inefficient and a potential safety concern.

Some SAST tools incorporate this functionality into their products (SonarQube for example), but there are also stand-alone products.

Application Security Testing Orchestration (ASTO)

ASTO integrates security tools into a software development life cycle (SDLC). The idea of ASTO is to have a centralized and coordinated management of all AST instruments running in an ecosystem. It is still too early to know if the term and product lines will last, but as automated testing becomes more ubiquitous, ASTO meets a need.