What Good is this Tool? A Guide to Choosing the Right Application Security Testing Tools
-
Upload
kfealey -
Category
Technology
-
view
99 -
download
1
Transcript of What Good is this Tool? A Guide to Choosing the Right Application Security Testing Tools
Aspect Security | 9175 Guilford Road, Suite 300 | Columbia, MD 21046 | www.aspectsecurity.com
What Good is this tool? A Guide to Choosing the Right Application Security Testing Tools
OWASP LASCONAustin, TXOct 24, 2014
whoami
Kevin Fealey
Senior Security Engineer @ Aspect Security
Lead of Aspect’s Security Automation Division
General Goals:
Streamline Security Processes
Improve Security Visibility
Bridge gaps between tech and business people
What Good is this Tool? 2
Takeaways
• Differences between SAST, DAST, IAST
• Tips for choosing the right tools
• Tips for choosing the right integration points
What Good is this Tool? 3
Why do we need tools?
What Good is this Tool? 4
More apps to review
Flat AppSecbudgets
A need for scalable, efficient
solutions
Vulnerabilities are being
introduced
RASP• Runtime
Application Self/Security Protection
• Essentially IAST that modifies data in memory to protect your running application.
• Think WAF in the runtime environment (.NET/JVM)
What Good is this Tool? 5
DAST (Dynamic) SAST (Static)
Scans interface of running application
• “Black box testing”• Simulates a live attacker• Sends HTTP requests• Analyses HTTP responses
• “Instrumentation”• Uses an “agent” to monitor application inner-workings• Similar to running a debugger on a running application• Access to HTTP requests/responses, as well as call stack• Contrast and Quotium are the only current vendors
Scans source code/binaries/byte code
Monitors inner workings of running application
• “White box testing”• Advanced grep for dangerous patterns• Data/Control flow analysis• Checks all possible code execution paths
Types of AST Tools
• “Hybrid analysis”• Correlates SAST and DAST results• Use “agents” to monitor application inner-workings and
report back to a black-box scanner• Use SAST output to improve DAST coverage• Most major vendors have an IAST solution
Various Implementations
IAST (Interactive/Intrinsic/Integrated)
Popular AST Tools
What Good is this Tool? 9
Other vendors:• Parasoft• SonarQube• Microsoft• Coverity/Synopsys
Open Source:• FindBugs• Find Security Bugs• OWASP ZAP• OWASP Dependency Check• PMD
Many, many more…
Before Contacting a Vendor
• Which tools are most “compatible” with your applications?
• Where do the tools fit in your SDLC?
What Good is this Tool? 10
Which tools are compatible?
• Is there a compatible IAST solution for you?
• How good are your test cases?
• Do you enforce common security controls?
• What is your threshold for false positives/negatives?
• Do you use Java frameworks?
What Good is this Tool? 11
Language Support
http://www.quotium.com/seeker/technologies/
http://www1.contrastsecurity.com/supported-technologies
What Good is this Tool? 12
Required Security Controls
What Good is this Tool? 15
Your developers know what not to do..
Do they know what to do?
Test Case Coverage
What Good is this Tool? 16
Your Application
Attack Surface
Potential Attacks
IAST tools are only as good as the test cases that drive them
F+/- Threshold
What Good is this Tool? 17
Out of the box, most SAST tools produce THOUSANDS of false positives on an average size application
Additional Considerations
• Evaluating 3rd party libraries
• Vulnerable dependencies (known CVEs)
• SaaS vs product
• Cost
• SDLC integration points
What Good is this Tool? 18
AST Tools in the SDLC
• The best place for a tool depends on your SDLC model
• Most tools have multiple potential integration points
• Sprinkle security throughout the SDLC
What Good is this Tool? 20
Waterfall Processes
What Good is this Tool? 21
Development
• IDE Plugin
• Runtime Agent
• Command line tools
QA
• Runtime Agent
• Browser plugin/proxy
Security Testing
• Desktop Tools
• Command line tools
• Runtime Agent
This is where most testing happens today
Agile Processes
What Good is this Tool? 22
Development
• IDE Plugin
• Runtime Agent
• Command line tools
QA
• Runtime Agent
• Browser plugin/proxy
Security Testing
• Desktop Tools
• Command line tools
• Runtime Agent
DevOps
• Any fast, high-confidence test
• Manage Deployment from CI
Continuous Integration
Runtime Agent
Command line tools
Browser plugin/proxy
Desktop Tools (with
CLI)
Automated
Results fed back to development
Where to Integrate
• Are you using continuous integration/continuous delivery?
• Do your developers have time to run scans?
• Do you have a QA team?
• Integrate at test, but simplify the workflow
What Good is this Tool? 23
Integrate with Existing Tools
What Good is this Tool? 24
Many tools you already use, like Jenkins, are extensible
AST Tools in the SDLC
• Regardless of where you integrate..
– Provide security feedback as early as possible
– Automate as much as possible
– The more transparent the process, the more likely it will be accepted
What Good is this Tool? 25
$139.00 $1,390.00
$2,780.00
$4,170.00
$-
$1,000.00
$2,000.00
$3,000.00
$4,000.00
$5,000.00
Coding Testing Beta Release
Cost to Fix a Vulnerability Depends on When it is Found
Process Efficiency
What Good is this Tool? 26
AST Server with Several Code Repositories
Developer for application Y
Developer for application Z
Developer for application XCode repository for
Application X
Code repository forApplication Y
Code repository forApplication Z
Build server for Application X
Build server for Application Y
Build server for Application Z
CI Server
Simplify your workflows
What Good is this Tool? 27
Security Analyst
Only new findings are triaged
Scan Server
Scan Results
Downloaded
Triaged Scan Results
Security Analyst
Subsequent Scans
Triaged Results
Uploaded
Scan Results
Downloaded
New Vulnerabilities
Already Triaged
Initial Scan
Use of a centralized environment drastically reduces the time required for subsequent assessments
General Recommendations
• If IAST is a good fit for you, use it.
• If possible, use at least 2 AST technologies.
– Encourage communication between your AST teams. Don’t create more silos within your security group.
• Prototype/pilot a deployment with a free tool
• Sprinkle security throughout the SDLC
• Get Continuous
What Good is this Tool? 28
Still not sure what to do?
• Come talk to me
• You are not alone.
Questions or positive feedback?
What Good is this Tool? 29