What Good is this Tool? A Guide to Choosing the Right Application Security Testing Tools

Aspect Security | 9175 Guilford Road, Suite 300 | Columbia, MD 21046 | www.aspectsecurity.com

What Good is this tool? A Guide to Choosing the Right Application Security Testing Tools

OWASP LASCONAustin, TXOct 24, 2014

whoami

Kevin Fealey

Senior Security Engineer @ Aspect Security

Lead of Aspect’s Security Automation Division

General Goals:

Streamline Security Processes

Improve Security Visibility

Bridge gaps between tech and business people

What Good is this Tool? 2

Takeaways

• Differences between SAST, DAST, IAST

• Tips for choosing the right tools

• Tips for choosing the right integration points


Why do we need tools?


More apps to review

Flat AppSecbudgets

A need for scalable, efficient

solutions

Vulnerabilities are being

introduced

RASP• Runtime

Application Self/Security Protection

• Essentially IAST that modifies data in memory to protect your running application.

• Think WAF in the runtime environment (.NET/JVM)


DAST (Dynamic) SAST (Static)

Scans interface of running application

• “Black box testing”• Simulates a live attacker• Sends HTTP requests• Analyses HTTP responses

• “Instrumentation”• Uses an “agent” to monitor application inner-workings• Similar to running a debugger on a running application• Access to HTTP requests/responses, as well as call stack• Contrast and Quotium are the only current vendors

Scans source code/binaries/byte code

Monitors inner workings of running application

• “White box testing”• Advanced grep for dangerous patterns• Data/Control flow analysis• Checks all possible code execution paths

Types of AST Tools

• “Hybrid analysis”• Correlates SAST and DAST results• Use “agents” to monitor application inner-workings and

report back to a black-box scanner• Use SAST output to improve DAST coverage• Most major vendors have an IAST solution

Various Implementations

IAST (Interactive/Intrinsic/Integrated)

What’s Better?


What’s Better?


Popular AST Tool Vendors


Popular AST Tools


Other vendors:• Parasoft• SonarQube• Microsoft• Coverity/Synopsys

Open Source:• FindBugs• Find Security Bugs• OWASP ZAP• OWASP Dependency Check• PMD

Many, many more…

Before Contacting a Vendor

• Which tools are most “compatible” with your applications?

• Where do the tools fit in your SDLC?


Which tools are compatible?

• Is there a compatible IAST solution for you?

• How good are your test cases?

• Do you enforce common security controls?

• What is your threshold for false positives/negatives?

• Do you use Java frameworks?


Language Support

http://www.quotium.com/seeker/technologies/

http://www1.contrastsecurity.com/supported-technologies


Framework Support


Javascript heavy?


Required Security Controls


Your developers know what not to do..

Do they know what to do?

Test Case Coverage


Your Application

Attack Surface

Potential Attacks

IAST tools are only as good as the test cases that drive them

F+/- Threshold


Out of the box, most SAST tools produce THOUSANDS of false positives on an average size application

Additional Considerations

• Evaluating 3rd party libraries

• Vulnerable dependencies (known CVEs)

• SaaS vs product

• Cost

• SDLC integration points


Sweet new pool table!


Where should we put it?

AST Tools in the SDLC

• The best place for a tool depends on your SDLC model

• Most tools have multiple potential integration points

• Sprinkle security throughout the SDLC


Waterfall Processes


Development

• IDE Plugin

• Runtime Agent

• Command line tools

QA

• Runtime Agent

• Browser plugin/proxy

Security Testing

• Desktop Tools


• Runtime Agent

This is where most testing happens today

Agile Processes


Development

• IDE Plugin

• Runtime Agent


QA

• Runtime Agent

• Browser plugin/proxy

Security Testing

• Desktop Tools


• Runtime Agent

DevOps

• Any fast, high-confidence test

• Manage Deployment from CI

Continuous Integration

Runtime Agent

Command line tools

Browser plugin/proxy

Desktop Tools (with

CLI)

Automated

Results fed back to development

Where to Integrate

• Are you using continuous integration/continuous delivery?

• Do your developers have time to run scans?

• Do you have a QA team?

• Integrate at test, but simplify the workflow


Integrate with Existing Tools


Many tools you already use, like Jenkins, are extensible

AST Tools in the SDLC

• Regardless of where you integrate..

– Provide security feedback as early as possible

– Automate as much as possible

– The more transparent the process, the more likely it will be accepted


$139.00 $1,390.00

$2,780.00

$4,170.00

$-

$1,000.00

$2,000.00

$3,000.00

$4,000.00

$5,000.00

Coding Testing Beta Release

Cost to Fix a Vulnerability Depends on When it is Found

Process Efficiency


AST Server with Several Code Repositories

Developer for application Y

Developer for application Z

Developer for application XCode repository for

Application X

Code repository forApplication Y

Code repository forApplication Z

Build server for Application X

Build server for Application Y

Build server for Application Z

CI Server

Simplify your workflows


Security Analyst

Only new findings are triaged

Scan Server

Scan Results

Downloaded

Triaged Scan Results

Security Analyst

Subsequent Scans

Triaged Results

Uploaded

Scan Results

Downloaded

New Vulnerabilities

Already Triaged

Initial Scan

Use of a centralized environment drastically reduces the time required for subsequent assessments

General Recommendations

• If IAST is a good fit for you, use it.

• If possible, use at least 2 AST technologies.

– Encourage communication between your AST teams. Don’t create more silos within your security group.

• Prototype/pilot a deployment with a free tool

• Sprinkle security throughout the SDLC

• Get Continuous


Still not sure what to do?

• Come talk to me

• You are not alone.

[email protected]

Questions or positive feedback?


Technology

What Good is this Tool? A Guide to Choosing the Right Application Security Testing Tools