Re: More apt means of analyzing weakness
Great question, and an important topic.
I think we can agree that the goal is to find all the security vulnerabilities in an application as early in the process and with the minimal amount of effort and expertise required.
Ordinarily, then only way to tell whether a security vulnerability is really present is to exploit it. That means that you need experts, have to craft exploits, etc... Actually, static analysis doesn't require exploit, but it generates so many false positives, that you end up having to verify all the findings with an exploit anyway.
But the vast majority vulnerabilities *can* be observed without exploit, if you've instrumented the application so that you can see all the security relevant activity. For example, if you walk into your house and nothing forces you to unlock a door... then you know an attacker could do the same.
In a web service, instrumentation can watch the data come from a JSON request, flow through the application, and reach a SQL query, without being validated, encoded, or parameterized. Instrumentation has established that the application is vulnerable to SQL injection, and we didn't have to exploit it.
This approach can be used on a very broad range of application security vulnerabilities and is extremely accurate. All you have to do is use the application normally, and the instrumentation can tell you whether anything happened (or failed to happen) that an attacker could exploit.
There are, of course, some parts of the code that aren't normally executed. For those, you have to send some specially crafted input. But even those cases don't require exploit, just the right data to make the code execute so that the instrumentation can watch how the code runs.
You can (and should) use instrumentation throughout the lifecycle to gain security insight from the first moment a developer codes and tests locally, to continuous integration, QA testing, and staging.
Gartner calls this approach IAST (Interactive Application Security Testing), and the speed, accuracy, and process advantages over SAST and DAST are dramatic. Neither SAST or DAST achieves good code coverage, and what's worse is that you'll never know what parts of the code were missed.
User Rank: Apprentice
7/24/2020 | 11:48:58 AM