Information security breaches continue to make headlines. 2017 and early 2018 saw several major organizations such as Equifax and even the IRS fall prey to hackers who exploited security vulnerabilities.
Attacks come fast, starting within one day of Common Vulnerabilities and Exposures (CVEs) being released. Sometimes, zero days. How do you protect yourself?
Application security testing is critical, and it must be done right. This means adhering to recommended application security guidelines, and using the latest tools and technologies.
By now you are most likely familiar with the two most prominent technological approaches to application security, with catchy acronyms: SAST, for Static Application Security Testing, examines your application’s source code for instances of known coding flaws; Dynamic Application Security Testing (DAST) explores your application while it’s running, in search of the same flaws that hackers can find from the outside.
Here we take a closer look at three emerging application security tools that take this further by introducing instrumentation into your code – Interactive Application Security Testing (IAST), Runtime Application Self-Protection (RASP), and a new technique unique to our Code Dx product that we are calling Hybrid Application Security Testing (HAST).
Each one uses a similar technology of inserting special code into your application – what we call “instrumenting” your code, the way astronauts are instrumented to monitor their health – to deliver very different benefits to application security testing. You need to understand the differences between each one, so you can properly leverage them and create a sound application security strategy.
The rise of Interactive Application Security Testing (IAST)
IAST combines the SAST philosophy of examining the code with the DAST view of the running application, but they do both while the application is running. While SAST tools speak of testing the application from the “inside” and DAST tools from the “outside,” IAST tools speak of testing “from the inside out.”
IAST tools install instrumentation code, called an “agent,” into the application to monitor the application while it is running, scanning for security vulnerabilities. The agent collects data within the application that can identify security flaws otherwise missed by SAST and DAST tools.
The benefits of IAST tools include:
- Reports fewer false positives
- Provides more comprehensive coverage of the application code because it is working within the application. It covers:
- The entire application source code
- Runtime control
- Configuration information
- Third-party libraries and frameworks
- HTTP requests
- Database queries
- Backend connection information
- Incorporates easily into the development process
- Offers scalability
- Provides instant feedback to developers so issues can be addressed right away
The disadvantages of IAST tools are:
- They can have a negative impact on application performance: since they add instrumentation to the code, they change the way the code performs.
- It is a newer technology, so other issues or drawback may still arise.
Then came Runtime Application Self-Protection (RASP)
A more recent development has been RASP – Runtime Application Self-Protection. It is predicted that the global market for RASP will grow at a Compound Annual Growth rate (CAGR) of almost 50% between 2018 and 2022.
As its name implies, RASP technology provides security protection for an application while it is running – as opposed to the detection offered by IAST. RASP leverages the same technique as IAST by installing an agent within the application; the difference is in how the agent is used. IAST tools look for security vulnerabilities, whereas RASP monitors the application for attacks, and protects the application against them when it senses an attack happening.
RASP does not affect the design of the application. It adds a layer of protection to the application in deployment, examining every instruction being executed and determining whether or not any given instruction is actually an attack.
It can be used to simply diagnose or to self-protect:
- Diagnostic use means an alert or alarm will go out when an attack is found.
- Self-protection means it will actually stop the execution that would result in an attack.
The advantages of RASP are:
- Provides an added layer of protection for your application while it is running. It is viewed by many as a better layer of protection than the older web application firewall (WAF) since RASP lives inside the application rather than outside.
- Fits well with faster development cycles.
- Allows you to patrol for unexpected inputs.
- Provides more detailed information on an attack if and when one occurs – which means you can fix the issue faster.
The disadvantages of this emerging technology are:
- RASP tools sit on the application server, slowing down application performance.
- It’s not always possible to deploy RASP agents in production due to regulations or internal policies that prevent installation of additional software, or locked-down infrastructures such as Platform as a Service (PaaS).
- Use of RASP can lead to a false sense of security. You may think, “We don’t need to worry as much about application security because our Runtime Application Self-Protection will keep us safe.” This is not true. If RASP does identify a problem, it still needs to be fixed, and this may mean taking your application offline while you work on it.
RASP does not replace application security testing. It is a newer technology that enhances the standard application security testing process, but will not protect against all vulnerabilities.
And now, Hybrid Application Security Testing (HAST)
IAST and RASP are promising techniques, but as noted they both have issues with how they might affect your application as it runs for your users. To achieve the security benefits of run-time knowledge during the development process, but not in a way that affects your users, we devised a hybrid approach to obtain run-time code execution insight during Dynamic testing, using agent technology, and combined those insights with Static testing to make it faster and easier to locate and fix those vulnerabilities most accessible to attackers.
We’ve taken to calling this Hybrid Application Security Testing, or HAST, to highlight its role as part of the overall application security testing process. HAST merges and correlates the results from SAST tools and DAST tools to focus your efforts on the vulnerabilities that matter most, and deliver a huge benefit to application security testing.
SAST tools identify potential vulnerabilities. Results need to be cross-referenced with issues found by DAST tools to determine if potential vulnerabilities are exploitable threats.
HAST accomplishes this, combining and correlating the results from both types of tools. You are able to identify which vulnerabilities are truly exploitable, and should be at the top of your remediation list.
HAST once again uses the same technology as IAST and RASP, by installing an agent within the application. The agent works in the running application while DAST penetration testing is taking place, and identifies which DAST findings are associated with which SAST findings.
The latest version of Code Dx Enterprise now offers HAST. More information on this new capability is coming soon.
These newer application security testing tools make application security testing better. But they do not replace SAST and DAST tools.
A proper application security testing strategy uses SAST, DAST, IAST, RASP, and HAST to identify vulnerabilities, prioritize them, and provide an extra layer of protection against attack.
But you still need to fix the issues that are found, which requires a remediation process. Using the right tools gives you comprehensive coverage, and streamlines the entire process by automatically correlating results to help you identify those that need immediate attention.
As new tools and technologies emerge, you need to educate yourself to see how you can keep your application secure.