Defense in Depth: Why You Need DAST, SAST, SCA, and Pen Testing
When it comes toツ?applicationツ?security (AppSec),ツ?most experts recommend usingツ?Dynamic Application Security Testingツ?(DAST)ツ?andツ?Static Application Security Testingツ?(SAST)ツ?as ???complementary??? approaches for robust AppSec. However, these experts rarely specifyツ?howツ?to run them in a complementary fashion.ツ?
At Veracode, we use SAST, DAST,ツ?SCA,ツ?andツ?penツ?testing as theツ?fourツ?pillars of ourツ?defenseツ?in-depthツ?strategy to deliver a ???secure-by-design??? AppSec methodology across the entireツ?softwareツ?developmentツ?lifeツ?cycle.ツ?ツ?
Manualツ?penetrationツ?testingツ?
Most organizations start their AppSec journey by runningツ?manualツ?penetrationツ?testsツ?(MPT).ツ?Penetration testing is necessary to catch vulnerability classes,ツ?such as authorization issues and business logic flaws,ツ?that cannot be found through automated assessments alone. Expertly trained pen testersツ?canツ?reviewツ?an entireツ?environment,ツ?rather than just the application,ツ?and canツ?follow or break the workflows in a way that is difficult forツ?automation to replicate.ツ?Additionally, pen testing is requiredツ?to comply with regulations such asツ?PCI DSS, HIPAA, GLBA, FISMA, and NERC CIP.ツ?
However,ツ?penツ?testing is only one assessment type and can bottleneck developmentツ?velocityツ?because it is a manual process.ツ?ツ?
How does Dynamic Analysis work?ツ?
Dynamicツ?applicationツ?securityツ?testingツ?(DAST)ツ?isツ?an AppSec assessment thatツ?scans all applications and interconnected structures in a running environment without looking deeply into source code. The results of ???outside-in???ツ?dynamicツ?scanningツ?help prioritizeツ?the remediation ofツ?exploitable vulnerabilitiesツ?and immediately reduce AppSec risk as they are fixed. However, it can be challenging to pinpoint theツ?exactツ?line of code toツ?work onツ?using only DAST.ツ?This assessment on its own is limited by the configuration of your scanner and what you choose to test. If you don???t properly configure your scans,ツ?you may miss vulnerabilities and have a false sense of security.ツ?
Additionally, since theツ?applicationツ?isツ?scannedツ?towards the end of theツ?SDLC,ツ?there???s more pressure on development teams to remediate the difficult-to-find vulnerabilities quickly.ツ?This is usuallyツ?whereツ?frictionツ?between development and security increases,ツ?often resulting in unmitigated risk.ツ?ツ?
How does Static Analysis work?ツ?
Staticツ?applicationツ?securityツ?testingツ?(SAST)ツ?is an AppSec assessmentツ?that tests applications from the inside-out,ツ?by scanning applications,ツ?but not running them. It usually targets source code, byte code,ツ?andツ?binaryツ?code, and ???sits??? in an earlier stage of the SDLC so developers can look for security issuesツ?beforeツ?the application is complete. SAST also provides real-time security feedback during coding, making it a moreツ?proactive methodツ?for fixing flaws quickly. This ???inside-out approach??? can help reduceツ?securityツ?technical debtツ?for the lowest cost.ツ?
On the flip side, fixing all the flaws found after a SAST scan may be an inefficient use of resources that may not reduce your risk in a meaningful way.ツ?And since the scan doesn’t execute in a running environment, it can be hard to determine which flaws are immediately exploitable, or to understand how the exploit might happen without appropriate training.ツ?
Software Compositionツ?Analysisツ?
Getting features to market faster than the competition almost always requires development teams toツ?use at least one open-source library inツ?their codebase. Third-party code is a necessity in modern software development and so is securing it.ツ?According toツ?Veracode???sツ?State of Software Security:ツ?Open-Sourceツ?Edition,ツ?97.4ツ?percentツ?of the 85,000 apps scanned hadツ?an unfixedツ?securityツ?flaw in an external library.ツ?The good news is thatツ?nearly 75ツ?percentツ?of the known flaws can be fixed with aツ?versionツ?update.ツ?Veracode Software Composition Analysisツ?(SCA) and other similar solutionsツ?automaticallyツ?scan yourツ?librariesツ?and their dependenciesツ?to find vulnerabilities andツ?help you fix them.ツ?ツ?ツ?
Defenseツ?in depthツ?
If youツ?conduct onlyツ?SCA you???re not protecting your entire codebase. If you conduct justツ?SAST, you may introduce resource-related inefficiencies into the SDLC during remediation.ツ?If youツ?conduct onlyツ?MPT or DAST, you???re finding flaws at a later, more expensive stage and putting increased pressure on development teams to find the flaw in the source code and remediate it quickly.ツ?ツ?
To ensure that you get the most value out of your AppSec program, you should use DAST findings to configure SAST policies, and to inform SAST activities. A quick defense against something like an input/output validation problem found during aツ?Veracode Dynamic Analysisツ?scan is to implement a WAF rule that prevents unauthorized data from leaving the application. Once the vulnerability has been secured at that level, useツ?Veracode Static Analysisツ?to go deep into the source code to find and patch the flaw.ツ?Once the first-party code has been secured, integrate Veracode SCA into your development workflowsツ?to secure your third-party code.ツ?This ensures that you are not just relying on one control to prevent an attack.ツ?ツ?
On top of this, it is critical to continue runningツ?MPTツ?assessmentsツ?to secure the flaws that automationツ?can???tツ?find. You want to look at the hierarchies of the architecture to be sure that you are doing everything you can to secure each level. Thisツ?complementary approach makes it easier to find exploitable flaws, remediate them quickly, and even learn secure coding to prevent them in future.ツ?According to the 11thツ?edition of theツ?State of Software Securityツ?report,ツ?organizations that scan with both SAST and DAST are likely to remediateツ?50 percent ofツ?their flaws 24.5 days quicker than if they only scanned with one technology.ツ?It???s not hard to understand why: by seeing how an attack may be exploited at runtime, developers get an education in how to think like an attacker and may even be more motivated to fixツ?otherツ?findings.ツ?
In today???s expanding threat landscape, DAST, SAST,ツ?SCA,ツ?and MPT provide a means forツ?DevSecOpsツ?teams to secure their code and strengthen their AppSec programs before it???s too late.ツ?To learn more aboutツ?the strengths and weaknesses of the different types of application security technologies, check outツ?ourツ?Guideツ?toツ?AppSec Solutions.ツ?
*** This is a Security Bloggers Network syndicated blog from Application Security Research, News, and Education Blog authored by [email protected] (lpaine). Read the original post at: https://www.veracode.com/blog/managing-appsec/defense-depth-why-you-need-dast-sast-sca-and-pen-testing
