Your AST Guide for the Disenchanted: Part 6
In this final post of Your AST Guide for the Disenchanted, series, we’ll share why SCA and AFT are two ideal solutions for transforming your DevOps workflow to a DevSecOp workflow.
How Does SCA and AFT Complement Each Other?
Here’s how they fit together.
Software Composition Analysis (SCA)
Advanced Fuzz Testing (AFT)
Generates a bill of materials for applications and the corresponding known vulnerabilities within them.
Executes uncommon and unknown attack patterns against applications and monitors for anomalous behaviors. Anomalous behaviors, such as memory leaks, infinite loops, and crashes are a sign of underlying vulnerabilities
Grey-box – meaning it can test with both access to code and without
Application State During Testing
Unknown and zero-days
Pre-Deployment and post-deployment (vendor dependent); AST solutions integrated earlier in the SDLC is desired for DevSecOps. Studies have shown testing early and often manages unexpected remediation costs and effort.
Pre-Deployment and post-deployment; AST solutions integrated earlier in the SDLC is desired for DevSecOps. Studies have shown testing early and often manages unexpected remediation costs and effort.
DevSecOps Best Practices
Offer a whitelist of code components developers can source from before development begins
Integrates as a part of developer workflows to share results as a part of the build process
Why is the SCA-AFT combination significant?
The combination of these technologies offer a comprehensive coverage of two significant types of application security risks: known and unknown vulnerabilities. Implemented correctly, they enable security teams to take a proactive approach to application security that allow organizations to stay ahead of the threat landscape.
What are the key attributes to consider in an AFT solution?
Market observers are hedging their bets, and they’re predicting that 2020 is the year of fuzz testing due to several significant advances from its former predecessors — random fuzzing and grammar-based fuzzing. Here are the minimum set of criteria to consider when evaluating AST solutions:
- CICD Integration
- Testing intelligence
- Issue reproduction
- Vulnerability detection
“People [are accepting] that integration testing is needed, unit testing is needed, end-to-end testing is needed, and now, that fuzz testing is needed.” – David Haynes, Cloudflare
Continuous Testing at the Speed of Development.
Find out how ForAllSecure can bring advanced fuzz testing into your development pipelines.
Interested in moving forward with fuzz testing? For a full description of the buying criteria, get your free copy of the fuzzing checklist here.
Want to learn more?
This post marks the end of the AST Guide for the Disenchanted series. To learn about the Top 3 Barriers to Fuzz Testing and how you can overcome them, read more here.
For detailed information or a demo, contact us at [email protected].
*** This is a Security Bloggers Network syndicated blog from Latest blog posts authored by Tamulyn Takakura. Read the original post at: https://forallsecure.com/blog/test/ast-guide-for-the-disenchanted-part-6