When it comes toﾂ?applicationﾂ?security (AppSec),ﾂ?most experts recommend usingﾂ?Dynamic Application Security Testingﾂ?(DAST)ﾂ?andﾂ?Static Application Security Testingﾂ?(SAST)ﾂ?as ???complementary??? approaches for robust AppSec. However, these experts rarely specifyﾂ?howﾂ?to run them in a complementary fashion.ﾂ?
At Veracode, we use SAST, DAST,ﾂ?SCA,ﾂ?andﾂ?penﾂ?testing as theﾂ?fourﾂ?pillars of ourﾂ?defenseﾂ?in-depthﾂ?strategy to deliver a ???secure-by-design??? AppSec methodology across the entireﾂ?softwareﾂ?developmentﾂ?lifeﾂ?cycle.ﾂ?ﾂ?
Most organizations start their AppSec journey by runningﾂ?manualﾂ?penetrationﾂ?testsﾂ?(MPT).ﾂ?Penetration testing is necessary to catch vulnerability classes,ﾂ?such as authorization issues and business logic flaws,ﾂ?that cannot be found through automated assessments alone. Expertly trained pen testersﾂ?canﾂ?reviewﾂ?an entireﾂ?environment,ﾂ?rather than just the application,ﾂ?and canﾂ?follow or break the workflows in a way that is difficult forﾂ?automation to replicate.ﾂ?Additionally, pen testing is requiredﾂ?to comply with regulations such asﾂ?PCI DSS, HIPAA, GLBA, FISMA, and NERC CIP.ﾂ?
However,ﾂ?penﾂ?testing is only one assessment type and can bottleneck developmentﾂ?velocityﾂ?because it is a manual process.ﾂ?ﾂ?
How does Dynamic Analysis work?ﾂ?
Dynamicﾂ?applicationﾂ?securityﾂ?testingﾂ?(DAST)ﾂ?isﾂ?an AppSec assessment thatﾂ?scans all applications and interconnected structures in a running environment without looking deeply into source code. The results of ???outside-in???ﾂ?dynamicﾂ?scanningﾂ?help prioritizeﾂ?the remediation ofﾂ?exploitable vulnerabilitiesﾂ?and immediately reduce AppSec risk as they are fixed. However, it can be challenging to pinpoint theﾂ?exactﾂ?line of code toﾂ?work onﾂ?using only DAST.ﾂ?This assessment on its own is limited by the configuration of your scanner and what you choose to test. If you don???t properly configure your scans,ﾂ?you may miss vulnerabilities and have a false sense of security.ﾂ?
Additionally, since theﾂ?applicationﾂ?isﾂ?scannedﾂ?towards the end of theﾂ?SDLC,ﾂ?there???s more pressure on development teams to remediate the difficult-to-find vulnerabilities quickly.ﾂ?This is usuallyﾂ?whereﾂ?frictionﾂ?between development and security increases,ﾂ?often resulting in unmitigated risk.ﾂ?ﾂ?
How does Static Analysis work?ﾂ?
Staticﾂ?applicationﾂ?securityﾂ?testingﾂ?(SAST)ﾂ?is an AppSec assessmentﾂ?that tests applications from the inside-out,ﾂ?by scanning applications,ﾂ?but not running them. It usually targets source code, byte code,ﾂ?andﾂ?binaryﾂ?code, and ???sits??? in an earlier stage of the SDLC so developers can look for security issuesﾂ?beforeﾂ?the application is complete. SAST also provides real-time security feedback during coding, making it a moreﾂ?proactive methodﾂ?for fixing flaws quickly. This ???inside-out approach??? can help reduceﾂ?securityﾂ?technical debtﾂ?for the lowest cost.ﾂ?
On the flip side, fixing all the flaws found after a SAST scan may be an inefficient use of resources that may not reduce your risk in a meaningful way.ﾂ?And since the scan doesn’t execute in a running environment, it can be hard to determine which flaws are immediately exploitable, or to understand how the exploit might happen without appropriate training.ﾂ?
Getting features to market faster than the competition almost always requires development teams toﾂ?use at least one open-source library inﾂ?their codebase. Third-party code is a necessity in modern software development and so is securing it.ﾂ?According toﾂ?Veracode???sﾂ?State of Software Security:ﾂ?Open-Sourceﾂ?Edition,ﾂ?97.4ﾂ?percentﾂ?of the 85,000 apps scanned hadﾂ?an unfixedﾂ?securityﾂ?flaw in an external library.ﾂ?The good news is thatﾂ?nearly 75ﾂ?percentﾂ?of the known flaws can be fixed with aﾂ?versionﾂ?update.ﾂ?Veracode Software Composition Analysisﾂ?(SCA) and other similar solutionsﾂ?automaticallyﾂ?scan yourﾂ?librariesﾂ?and their dependenciesﾂ?to find vulnerabilities andﾂ?help you fix them.ﾂ?ﾂ?ﾂ?
If youﾂ?conduct onlyﾂ?SCA you???re not protecting your entire codebase. If you conduct justﾂ?SAST, you may introduce resource-related inefficiencies into the SDLC during remediation.ﾂ?If youﾂ?conduct onlyﾂ?MPT or DAST, you???re finding flaws at a later, more expensive stage and putting increased pressure on development teams to find the flaw in the source code and remediate it quickly.ﾂ?ﾂ?
To ensure that you get the most value out of your AppSec program, you should use DAST findings to configure SAST policies, and to inform SAST activities. A quick defense against something like an input/output validation problem found during aﾂ?Veracode Dynamic Analysisﾂ?scan is to implement a WAF rule that prevents unauthorized data from leaving the application. Once the vulnerability has been secured at that level, useﾂ?Veracode Static Analysisﾂ?to go deep into the source code to find and patch the flaw.ﾂ?Once the first-party code has been secured, integrate Veracode SCA into your development workflowsﾂ?to secure your third-party code.ﾂ?This ensures that you are not just relying on one control to prevent an attack.ﾂ?ﾂ?
On top of this, it is critical to continue runningﾂ?MPTﾂ?assessmentsﾂ?to secure the flaws that automationﾂ?can???tﾂ?find. You want to look at the hierarchies of the architecture to be sure that you are doing everything you can to secure each level. Thisﾂ?complementary approach makes it easier to find exploitable flaws, remediate them quickly, and even learn secure coding to prevent them in future.ﾂ?According to the 11thﾂ?edition of theﾂ?State of Software Securityﾂ?report,ﾂ?organizations that scan with both SAST and DAST are likely to remediateﾂ?50 percent ofﾂ?their flaws 24.5 days quicker than if they only scanned with one technology.ﾂ?It???s not hard to understand why: by seeing how an attack may be exploited at runtime, developers get an education in how to think like an attacker and may even be more motivated to fixﾂ?otherﾂ?findings.ﾂ?
In today???s expanding threat landscape, DAST, SAST,ﾂ?SCA,ﾂ?and MPT provide a means forﾂ?DevSecOpsﾂ?teams to secure their code and strengthen their AppSec programs before it???s too late.ﾂ?To learn more aboutﾂ?the strengths and weaknesses of the different types of application security technologies, check outﾂ?ourﾂ?Guideﾂ?toﾂ?AppSec Solutions.ﾂ?
*** This is a Security Bloggers Network syndicated blog from Application Security Research, News, and Education Blog authored by email@example.com (lpaine). Read the original post at: https://www.veracode.com/blog/managing-appsec/defense-depth-why-you-need-dast-sast-sca-and-pen-testing