How to Find Additional Hidden Vulnerabilities During DAST Testing
Organizations have a number of testing tools to discover vulnerabilities in code before the code makes it to production. DAST (Dynamic Application Security Testing) is one of those tools, in which a black box, essentially acts like an attacker and launches attacks against the application to try and discover any vulnerabilities in the application code. Even with expensive DAST testing tools, plenty of code is still making it to production with significant vulnerabilities.
The amount of vulnerabilities found in production code continues to increase at an unprecedented rate. In 2019, 17,306 vulnerabilities were recorded in the US-Cert Vulnerability database. In addition we’re on track this year to beat last year’s number with 10,861 new vulnerabilities already recorded in the first half of 2020 (The image to the right shows the number of vulnerabilities recorded by year up until July of 2020). The increasing growth of discovered vulnerabilities in production code means we’re doing a terrible job at finding vulnerabilities during application development and DAST.
Typically the way DAST tools work is the testing tools reside on a server that is separate from the server that the application resides on, so that attacks are coming across the network, similar to the way they would in an actual attack. While this is great for simulating an actual attack, it has the downside that successful attack detection is only occurs if there’s response back to the testing server that the testing server can interpret as a successful attack. The testing tool detects vulnerabilities based solely on the responses it’s receiving back from the application server from launched attacks. If there’s no response back, or only a partial response, it’s possible the testing tool may not be aware of all the vulnerabilities that exist on the tested application. And based on the number of increasing detected vulnerabilities found in code, after the code has made it to production, it’s obvious testing isn’t finding all the vulnerabilities during the test cycles.
So the question then arises, how can you improve your vulnerability detection and find these “hidden” vulnerabilities during your testing of your applications before you go to production?
Based on the continued discovery of vulnerabilities in released code, we need to find ways to make finding “hidden” vulnerabilities easier and more informative. K2 Cyber Security can help address the issues around missed vulnerabilities and the lack of details surrounding the discovered vulnerabilities. K2 Cyber Security Platform is a great addition to find additional vulnerabilities during DAST testing that the testing tools may have missed.
Because the K2 agent resides on the application server, when a DAST or penetration testing attack is run, K2 has visibility into the application, understands the application execution and the intention of the code. This gives K2 the ability to detect and report on additional vulnerabilities that the DAST and penetration testing tools will miss by not having application server visibility. In testing with some of the leading DAST and penetration testing tools, K2 detected significant additional vulnerabilities that the testing tools missed.
K2 also has a secondary benefit during DAST and penetration testing. K2 can pinpoint the exact location of the discovered vulnerability in the code. When a vulnerability is discovered (for example, SQL Injection, XSS or Remote Code Injection), K2 can disclose the exact file name along with the line of code that contains the vulnerability, details that testing tools typically are unable to provide, enabling developers to start the remediation process quickly.
K2 Cyber Security Platform offers two use cases, the first as described here is additional vulnerability discovery and visibility during pre-production (development) penetration testing, while the other is runtime protection for applications in production. In the second use case, K2 offers an ideal runtime protection security solution that detects true zero-day attacks, while at the same time generates the least false positives and alerts. Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, we use a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge. Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended. There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has minimal false alerts.
Get more out of your application security testing and change how you protect your applications, and check out K2’s application workload security solution.
Find out more about K2 today by requesting a demo, or get your free trial.
Image source: https://nvd.nist.gov/vuln/search/statistics?form_type=Basic&results_type=statistics&search_type=all
The post How to Find Additional Hidden Vulnerabilities During DAST Testing appeared first on K2io.
*** This is a Security Bloggers Network syndicated blog from K2io authored by Timothy Chiu, VP of Marketing. Read the original post at: https://www.k2io.com/how-to-find-additional-hidden-vulnerabilities-during-dast-testing/
