I’ve been asked a few times recently what the value is in performing DAST (dynamic application security testing) and/or SAST (static application security testing) if an application was developed with security in mind from the ground up. This is a valid question and development and QA teams, IT and security managers, and internal audit staff need to be aware of the implications surrounding application security from this perspective.
Looking at the security of applications, if you start out with a “secure” mindset and develop the proper standards, think through the necessary threat modeling, and adhere to safe coding practices, you should end up with a reasonably resilient system. This goes for web applications, traditional client/server applications, or mobile apps. In theory, if it has code, it can be made secure from the ground up without ever validating the security throughout the lifecycle or on the backend once it’s complete. But why would you ever do that? Well, believe it or not, many people do and I’m not convinced that it’s a safe approach much less reflective of due care in an overall information security program.
DAST and SAST are expensive. They require unique tools. They require skilled operators with the experience and wisdom to translate and sift through the findings and turn them into tangible business cases and solutions. That’s why DAST and SAST are often put on the backburner or ignored altogether. That’s still no excuse. The reality is, this situation is no different than a homebuilder building a new, fancy home that adheres to all of the latest building codes and practices yet ends up having problems with air drafts, water leaks, door fitment, radon levels and a bevy of other things that many of us homeowners have experienced. Even when county inspectors come along and check their boxes when all is said and done, there are plenty of things with homes that go undiscovered during the building process but will surface eventually. Software is no different.
In fact, software is a lot more complicated than the typical house. There are so many factors involved that impacts the current and ongoing status of application security such as:
- Known vulnerabilities that are discovered thanks to the ongoing work of researchers and security product vendors
- Unknown vulnerabilities that create tangible risks once they are unknowingly uncovered
- DAST and SAST tools from competing vendors that tend to find different things – a frustrating reality of application security testing
- Underlying network, server, and database configurations that spawn weaknesses in the overall environment
- Unique – and unknown – workflows that facilitate exploits
- Endpoint security weaknesses that expose the overall application
Application security is complicated. I’m certainly not convinced that DAST and SAST will come to our rescue and make everything secure. That goes for the latest incarnation of application security testing: IAST, or interactive application security testing, which combines the approaches of both DAST and SAST. One thing that I do know, you have to perform the proper application security testing. Unless and until you use automated tools and perform manual analysis using a malicious mindset, you will never truly find the important security weaknesses in your applications. Start strong with good standards, threat models, and strong development and QA processes. But complement that with the proper application security testing, not just now, but ongoing into the future. That’s the only way you can rest assured that your applications can stand up to the latest and greatest attacks.
About the Author
Kevin Beaver is an information security consultant, expert witness, writer, and professional speaker with Atlanta-based Principle Logic, LLC. Having over 26 years of experience in the industry and 20 years focusing on security, Kevin specializes in performing independent security assessments of Web applications and network systems. He has written 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he’s the creator of the Security On Wheelsinformation security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.
Source: SANS ISC SecNewsFeed @ March 2, 2017 at 03:06PM