Seeker: Bringing security testing to QA
Security testing in QA was once difficult to achieve, but the advent of interactive application security testing makes it a reality for many organizations.
What is IAST?
IAST (interactive application security testing) is an agent-based software security solution for web-based applications. IAST tools examine an application’s behavior (analyzing memory, traffic, dataflow, control flow, etc.) during runtime. Given that there’s an agent embedded in the runtime of the application under analysis, IAST solutions can accurately identify security vulnerabilities that are exploitable.
RELATED: IAST defined, plus how it is impacting business-critical software
What is Seeker?
Seeker is Synopsys’ IAST solution. It has some key features that make it stand out from other IAST tools that are available today. Some of those key features include:
- Patented “active verification” engine that analyzes security vulnerabilities identified and ensures that they are exploitable
- Seamless integration with Black Duck Binary Analysis to perform software composition analysis
- Sensitive-data tracking
Why is security testing in QA so challenging?
For over a decade now, we have seen organizations try to get QA testers to perform security testing. In most cases, they’ve failed. True, a handful of organizations have successfully implemented security testing in QA. But they still haven’t persuaded their QA teams to adopt security testing. Instead, they’ve had to hire dedicated security experts.
One of the biggest challenges with getting QA teams to adopt security testing is the techniques available. Currently, the most commonly used security analysis techniques are SAST and DAST. Both these solutions pose challenges to engineers without any application security background:
DAST in QA
DAST tools are relatively easy to set up and run. The challenge is that DAST scans take a long time, depending on the application’s complexity. Yet they have very relatively low code coverage. They also tend to produce a high rate of false positives (read as “noise”).
SAST in QA
SAST tools have more thorough code coverage. But similar to DAST, most SAST tools are notorious for producing a large number of false positives. They also can take a long time to run. Plus, they typically must be run on machines that have a lot of processing power and memory.
Both DAST and SAST tools have a key role to play in making sure applications are developed securely. But they do not work very well in the hands of the QA engineer.
What makes Seeker suitable for QA?
Seeker is built for frictionless integration with the DevOps toolchain. Since users can easily automate and script the deployment of Seeker agents, Seeker can integrate seamlessly into the development and QA environments as part of manual or automated functional testing.
There’s no need to train developers or QA teams on yet another tool. Seeker simply works in the background as a silent security advisor. The Seeker agent runs in parallel to the QA testing effort (functional tests, automated regression tests, unit tests, etc.). It does its own vulnerability monitoring and detection for every test case run against the application. Then it reports on the security issues that it discovers.
Seeker has native integration with Jira and can integrate with other defect-tracking systems through APIs. As a result, users can automate the submission of security bugs into defect-tracking systems for developers to address. Developers receive security issues in tickets as part of their regular bug-fixing workflow. Plus, Seeker’s unique patented verification engine replays each security issue to validate whether it’s exploitable. This means the vulnerabilities Seeker reports can go directly to developers to be resolved. There’s no need to worry about overwhelming them with false positives.
What additional benefits does Seeker provide?
In addition to runtime testing, Seeker performs software composition analysis (SCA) through its integration with Black Duck Binary Analysis. SCA allows organizations to build a real inventory of the open source software they use. They can also get a better understanding of their risk exposure from known vulnerabilities in that open source software.
Finally, Seeker’s sensitive-data tracking feature automatically identifies potential sensitive data that the application might save or handle insecurely. Plus, users can quickly tag any data as sensitive, based on the business use cases the application supports. In either case, Seeker will immediately notify users when it detects that an application is incorrectly handling data tagged as sensitive. Organizations can use this feature especially to help them in their efforts regarding GDPR and PCI DSS requirements.
IAST is a relatively new player in the field of application security testing, but it’s quickly changing the game. Check out our free IAST eBook to learn more about interactive application security testing and how to choose the best tool for your software development life cycle.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Nabil Hannan. Read the original post at: https://www.synopsys.com/blogs/software-security/seeker-security-testing-in-qa/
