Application vulnerabilities are the #1 cyberattack target, but how do you know you are using the right tools to secure them?
RSA Conference 2017 is just a few weeks away and all you need to do to get a sense of the mind-boggling array of security solutions on the market is to take a walk through one of the two massive expo halls. Even if your search is focused on application security solutions, the wide variety of approaches (SAST, DAST, IAST, RASP, Pen, Fuzz, etc.), and myriad vendors, is enough to freeze anybody in their tracks.
And yet, you can’t afford to put your head in the sand and hope that the network security measures used by your customers or internal operations teams will shelter your applications from attack. The truth of the matter is that hackers have realized that application vulnerabilities are like an unlocked back door, allowing them to gain access to sensitive systems and data simply by exploiting flaws in application design or implementation. In fact, a recent study by SAP noted that applications are the target of over 80% of cyberattacks.
Are Static or Dynamic Analysis Tools Enough?
Enter Application Security tools. These solutions help development teams locate and fix vulnerabilities before applications go into production. Most of these solutions fall into one of two categories:
- Static Analysis – These solutions work by examining the source or binary application code to detect vulnerable coding patterns.
- Dynamic Analysis – These solutions work by testing a running application to detect vulnerable behavior.
There are many variations on these themes. Different solutions apply various technologies and levels of automation or optimize for specific types of apps. But in general, these variations simply improve their ability to perform one of these two testing functions. There are also some newer approaches, such as Runtime Application Security Protection (RASP), which attempt to bake security defenses directly into the application itself, though these are not yet widely used.
Should you simply pick a static or dynamic analysis solution and stop there?
Many teams make this mistake. They determine that they need some kind of appsec tool and assume that, once they pick one they like, they’ve checked the appsec box and can move on. Unfortunately, what they usually find is that their one-tool plan leaves a lot vulnerabilities undetected. This is especially true when it comes to open source components. Off-the-shelf static and dynamic testing tools have shown themselves to be ineffective at finding vulnerabilities in open source components, as only a handful of the thousands of open source vulnerabilities recorded in the National Vulnerability Database (NVD) were found by them.
Which Application Security Tool Should We Use?
Appsec cannot be a check-the-box item. Rather than look for the nearest exit, you need to take a step back and look at the types of applications your team builds and how they build them, and use that information to make an informed selection.
- Are you building apps (e.g. certain types of mobile or embedded apps) that require specialty testing tools?
- How are your applications deployed? Internal network? Customer network? SaaS?
- What programming languages or components do you use? Do open source components make up a significant portion of the codebase?
- How long do applications or versions remain in use? What type of ongoing vulnerability protections do you need to have in place?
- How is your development process structured? Do you have distinct testing phases or do you integrate testing into a build automation and continuous integration platform?
Given this, which appsec tool should you use?
It’s a trick question. No single tool or approach will fully cover the range of vulnerabilities present in most applications. To do the job right you are going to need to assemble a multi-tool toolkit tailored to the needs of your applications and development processes.
To help you get started we’ve put together an Application Security Buyers Guide. In it you will find descriptions of the various appsec testing approaches as well as strengths and limitations of each. Using information in the buyer’s guide with the insights you gain from considering the above questions, you’ll be able to determine which tools you need in your toolbox, and establish a framework for evaluating specific vendor offerings as you fill that toolbox.