Application security testing is a strenuous process and existing approaches have their limitations; however, a new approach can improve the process.
Fremont, CA: As applications migrate to the cloud, their security has become paramount. According to recent research, application vulnerabilities are the leading source of security breaches in 2018. The two pressing challenges for cybersecurity in the coming decade will be spear-phishing or application vulnerability exploits, according to the Verizon Data Breach Investigations report. A different survey shows that only 10 percent of the organizations report repairing critical vulnerabilities promptly. Thus, the market needs a shift, and to understand the change, a clear view of the current state of application security needs to be stated.
Currently, the software development lifecycle (SDLC) has a development (dev) and production (prod) phase. In the dev phase, the goal is to find and fix vulnerabilities, and in the prod stage, the goal is to protect the application from all its vulnerabilities. Software providers need only need one or the other; however, neither is foolproof. Thus, companies use some form of both.
Static application security testing (SAST) analyzes the application from inside-out by inspecting its source code. SAST leverages fundamental knowledge of vulnerabilities; however, conventional SAST scans are slow, requiring hours or even days to complete. Further, the results often show false-positives. On the other hand, dynamic application security testing (DAST) probes the application from outside in similar to the black box, which unveils interfaces for vulnerabilities. Generally, DAST accurately identifies externally visible vulnerabilities, but it requires test scripts to test everything, which from a practical standpoint, is impossible. Additionally, it only analyzes exposed interfaces, which presumes an attacker only has external access. The third approach is interactive application security testing (IAST), which improves on DAST by instrumenting the application for more in-depth analysis.
Each approach has its advantages and disadvantages. An ideal application security testing would have a faster version of inside-out approach of SAST. It would analyze the entire application, including third-party APIs, dependencies, and frameworks like DAST. For SAST to be complete, it should be combined with the data from the production environment to address reachability challenges. Regardless of the competence of an AST toolchain, there will be unfixed vulnerabilities in the production environment, but a tool is always needed to protect applications in production. This new approach instruments the application based on SAST findings to ensure high-performance and accurate protection notifying the developer about the location of the vulnerability into code that needs to be fixed.