Why Developers Need More than SAST and DAST for Real Code Security?

When SAST, DAST, IAST etc. are Just Not Enough

Once developers find tools that work for them, it is hard to make a change. SAST and other legacy Application Security tools fall into the area of being solid tools that work. In the last couple of years the threat landscape has evolved and new vulnerabilities have emerged. SAST, DAST, and other Application Security tools may be effective within their own realm, however in the context of how software is developed today, they do not provide sufficient visibility into hard coded secrets and other code security risks.

These vulnerabilities in code are contributing to it becoming the largest cyberattack surface. Software supply chains, which are no longer monolithic entities, are made up of several disparate software components from multiple sources.?

Recent large and very visible security breach incidents have been attributed to software supply chain vulnerabilities?

With the constant need to accelerate the pace of software deployment, security for applications has become more complex as the use of open source software and code from third-party repositories becomes more prevalent. With this trend growing, developers are now taking a more defined role in the deployment of application security.

The Ground Underneath is Shifting – Security Needs to Shift Left

Development and security teams together had attempted to respond by embracing both static and dynamic testing tools to address code security. However, there are several areas where these tools fall short of providing complete and effective protection.

Several trends are driving the need for a more effective code security:

• Increased open source adoption
• Code can reside in multiple Git and other repositories with no visibility into the chain of custody
• Prior versions of the code sitting in repositories can be exploited even though the deployed version has been secured.
• Late resolution of vulnerabilities negatively impacts automated CI/CD and high velocity pipelines
• Attackers are becoming more adept at exploiting secrets in code to launch full-blown and crippling cyberattacks.

Current generation application security tools in use today are not effective at identifying and remediating most, if not all these issues. What follows is a description of those tools and why developers need to augment their code testing practices with new security solutions that have emerged to address the gaps not covered by traditional application security tools.

Understanding Static, Dynamic Test Tools – Where are They Falling Short

Static?and?Dynamic Code Testing?are used for testing code to seek out potential areas of weakness that translate into security vulnerabilities. This is really important as other threat vectors are being mitigated, cyber attackers are transitioning to code as being one of the most prevalent threat vectors. There are core differences in how these two forms of security testing work and the conditions in which they are deployed.

Static Application Security Testing (SAST) is a security tool which scans an application’s code early in the DevOps process. This could include source code, executables or other similar forms. SAST identifies security vulnerabilities in the code and is widely used by developers. SAST does not require the application to be running, it analyzes the source code or binaries without running the application.

The individual testing the code usually has access to the underlying code infrastructure and design, which is why it is also known as the inside-out approach.?

SAST reduces security risks in applications by providing immediate feedback to developers on issues introduced into code during development. It helps educate developers about security while they work, providing them with real-time access to recommendations and line-of-code navigation, which allows for faster vulnerability discovery and collaborative auditing. This enables developers to create more code that is less vulnerable to compromise, which leads to a more secure application.

In keeping with Shift-Left principles, SAST can help find issues earlier in the development lifecycle bringing visibility to security issues earlier in the development lifecycle. This makes it easier to remediate the issues.?

Drawbacks: SAST cannot uncover run-time security vulnerabilities. This limitation means it is effective for only part of the job.

Dynamic Application Security Testing (DAST) is the process of exercising an application from the outside to check for security vulnerabilities. This is done by scanning the application in the running environment. While DAST does not rely on source code or executables, it does require a running application to analyze. One key advantage is that DAST can find run-time vulnerabilities, however it is usually limited to externally facing applications like web applications and other web services.?

Drawbacks: One of the biggest drawbacks for DAST is that it finds vulnerabilities later in the software development life cycle when they are more costly and time consuming to fix. DAST does not have any visibility into code. This means that without SAST, it is difficult for developers to pinpoint areas where the problems are occurring.

Interactive Application Security Testing (IAST) came about as the need to link together security solutions across the stages of CI/CD or release orchestration. It seemed like the perfect complement. The approach is to instrument the runtime environment with an IAST testing agent that observes attacks and impact to operations to identify vulnerabilities.

Drawbacks: One of the biggest drawbacks for IAST is it tests functionality only at certain checkpoints. These testing triggers are defined by QA or Dev engineers. This makes it significantly faster however it does not provide the code coverage that SAST does.

Dev and Security Teams Need More, But Not Everything Needs to be Replaced

Developers today recognize the impact of security breaches to the organization. They are doing their part to ensure that the code developed and deployed not only delivers value to the organization, but also remains secure and protected.?

Security-conscious developers in leading organizations have been working hand in hand with Security to close key security gaps that exist even after deploying security application tools. The current shift left thinking encourages security to be addressed early in the development cycle. It is generally accepted that security issues uncovered in the deployment phase, or even worse, post-deployment, can be very expensive to the organization.

How does Dynamic Application Security Testing (DAST) work?

DAST solutions identify potential input fields within an application and then send various unusual or malicious inputs to them. This can include both attempted exploits of common types of vulnerabilities – such as SQL injection commands, cross-site scripting (XSS) vulnerabilities, and long input strings – and unusual inputs that might uncover issues with input validation and memory management within an application.

Based on the application’s response to various inputs, the DAST tool identifies whether or not it contains a particular vulnerability. For example, if an SQL injection attack provides unauthorized access to data or an application crashes due to invalid or malformed input, then this indicates an exploitable vulnerability.

Why DAST is important

DAST solutions are designed to identify potential vulnerabilities within an executing application. This makes it possible to find configuration or runtime vulnerabilities that may impact the application’s functionality and security.

Pros and Cons

DAST solutions are a vital component of an enterprise application security strategy. Some of the main advantages of a DAST solution include:

• Detecting Runtime Issues:?DAST scanners interact with a running application, enabling it to detect both compile-time and runtime issues within an application.
• Low False Positive Rates:?DAST identifies vulnerabilities by exploiting them, enabling it to verify that a potential vulnerability actually poses a threat to an application’s functionality or security.
• Language Agnostic:?DAST solutions test running applications in a black-box assessment, meaning that it can be used for applications written in any language for any environment.

Despite its numerous advantages, DAST is not a comprehensive solution. Some of the main disadvantages of DAST include:

• Late Appearance in SDLC:?DAST requires access to a running application, meaning that it can only be performed late in the Software Development Lifecycle (SDLC) when vulnerabilities are more expensive to remediate.
• Vulnerability Location:?DAST solutions can identify that a vulnerability exists within an application but does not have access to the source code so it cannot find the exact location within the codebase.
• Code Coverage:?DAST solutions evaluate a running application, meaning that they might miss vulnerabilities in parts of the code that are not executed.

DAST vs. SAST

Static Application Security Testing (SAST) performs analysis of an application’s source code rather than interacting with a running application. DAST and SAST are complementary approaches to application security. Some of the main differences between DAST and SAST include:

• Test Type:?SAST is a white-box vulnerability scan with full access to the application’s source code, while DAST is a black-box assessment with no knowledge of the application’s internals.
• Required Code Maturity:?SAST solutions scan source code, which enables them to run on partial code. DAST solutions can only analyze running applications, which requires more mature code.
• Phase of SDLC:?SAST’s ability to analyze source code allows it to be performed earlier in the SDLC than DAST, which requires a running application.
• Remediation Cost:?Since SAST analysis occurs earlier in the SDLC, it costs less to fix any identified vulnerabilities than with DAST. The later in the SDLC, the more code that might need to be fixed and the less time available to do so.
• Vulnerability Coverage:?DAST solutions are able to identify runtime vulnerabilities and configuration errors that SAST solutions cannot since code is not running during SAST analysis.
• Location of Vulnerability:?SAST solutions scan source code, so they know exactly where in an application a vulnerability is located. DAST only knows that a vulnerability exists but can’t point to a particular line of code.
• False Positive Detections:?DAST interacts with an application, enabling it to determine if a potential vulnerability actually impacts an application’s functionality. SAST only works based on a model of an app and has a higher rate of false positives.