Re: More apt means of analyzing weakness
Great question, and an important topic.
I think we can agree that the goal is to find all the security vulnerabilities in an application as early in the process and with the minimal amount of effort and expertise required.
Ordinarily, then only way to tell whether a security vulnerability is really present is to exploit it. That means that you need experts, have to craft exploits, etc... Actually, static analysis doesn't require exploit, but it generates so many false positives, that you end up having to verify all the findings with an exploit anyway.
But the vast majority vulnerabilities *can* be observed without exploit, if you've instrumented the application so that you can see all the security relevant activity. For example, if you walk into your house and nothing forces you to unlock a door... then you know an attacker could do the same.
In a web service, instrumentation can watch the data come from a JSON request, flow through the application, and reach a SQL query, without being validated, encoded, or parameterized. Instrumentation has established that the application is vulnerable to SQL injection, and we didn't have to exploit it.
This approach can be used on a very broad range of application security vulnerabilities and is extremely accurate. All you have to do is use the application normally, and the instrumentation can tell you whether anything happened (or failed to happen) that an attacker could exploit.
There are, of course, some parts of the code that aren't normally executed. For those, you have to send some specially crafted input. But even those cases don't require exploit, just the right data to make the code execute so that the instrumentation can watch how the code runs.
You can (and should) use instrumentation throughout the lifecycle to gain security insight from the first moment a developer codes and tests locally, to continuous integration, QA testing, and staging.
Gartner calls this approach IAST (Interactive Application Security Testing), and the speed, accuracy, and process advantages over SAST and DAST are dramatic. Neither SAST or DAST achieves good code coverage, and what's worse is that you'll never know what parts of the code were missed.
6 Emerging Cyber Threats That Enterprises Face in 2020This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Tweet This
6 Comments
User Rank: Ninja
6/25/2015 | 11:44:13 AM
I also think its a good idea to point out that in the coding phase is when app sec should be continually reviewed. Today's agile methodology is very good at acknowledging this principle. If you don't ingrain security at every phase of the SDLC, it is hopeless to expect that post-creation testing will yield desirable results.