Application security testing is an integral part of the development process. A proper testing methodology utilizes multiple tools (and types of tools) and incorporates application security testing into the design, development, and production phases of the application development lifecycle. But you may find yourself overwhelmed by the inundation of results from all of these testing tools.
How do you sort through results and reports from various sources? Which application vulnerabilities are legitimate and exploitable? Which ones require your immediate attention? And – one of the most important questions – how do you get your developers to pay attention to these threats and fix them before moving on to the next phase of development?
In this post, we take a brief look at how important application security is to Agile software development and why you need to use multiple testing tools. We also acknowledge the challenges raised by using multiple tools, and show you how you can overcome these issues to remediate your code quickly and effectively.
DevOps versus DevSecOps
Most application developers are familiar with the Agile process. Emphasis is placed on creating a collaborative working environment with work being done incrementally.
This is often done through an Integrated Development Environment (IDE), which may consist of a source code editor, compiler, and interpreter, as well as a debugger and build automation tools.
Agile development relies on Continuous Integration (CI) and Continuous Development (CD) – methodologies that require developers to check code into a shared repository on a frequent basis. Each check-in is verified by an automated build, with errors being detected early and remediated right away.
DevOps and DevSecOps have emerged as two closely related ways to adhere to the Agile process. DevOps breaks down the traditional silos that exist between development and IT operational teams. The focus is on the user experience. An environment of collaboration and communication is created with two goals in mind:
- Deploy quickly.
- Identify and correct issues as they occur.
DevSecOps takes this a step further by acknowledging the importance of security throughout the entire software development lifecycle. Attention is given to security in every step of the development process, starting at the very beginning of the DevOps workflow.
Application security testing is performed continuously throughout development, and issues are fixed as they are found. The DevSecOps approach is in line with Agile software development and delivers several benefits:
- It is easier to fix issues as soon as they are found, and it costs less money.
- Each iteration is better prepared for commercial deployment.
- Software can be updated and deployed more quickly, allowing you to meet customer and market demands faster than your competition – with a product that is secure.
Organizations are better able to meet user needs and deliver a high-value product in a more timely and efficient manner. Federal agencies are among the leading organizations embracing this approach for its benefits.
The benefits of DevSecOps – including cost reductions, increased customer value, and increased code coverage – are discussed in greater detail in this white paper from DevSecCon.
But the DevSecOps approach requires the use of multiple testing tools and types of tools to give application security the attention it deserves throughout the entire process. Let’s look at two of the most common types – SAST and DAST.
SAST and DAST: Why you need both
Two of the most common types of application vulnerability testing tools are Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools.
SAST tools examine the application from the inside, looking at the source code, byte code, or application binaries for security vulnerabilities. DAST tools, on the other hand, approach the application from the outside, mimicking a “robot hacker” to find vulnerabilities.
For a closer look at the pros and cons of SAST and DAST tools, check out our recent blog post on application vulnerability testing software.
A secure software development lifecycle requires comprehensive application security testing. So you need to employ both SAST and DAST tools – and more than one of each type.
Each tool on the market has its strengths and weaknesses. You need to make use of multiple tools to make sure you are creating a secure application from all angles.
There are many open source tools you can use at little to no cost to get comprehensive coverage of your application. But multiple tools can be difficult to manage.
Data overload and how to manage it effectively
The use of many tools and different types of tools is a necessary evil that creates certain challenges in application development.
Each tool generates a report (in different formats) full of potential vulnerabilities. The results need to be cross-referenced to remove duplicates, and you need to figure out which of the potential threats are truly exploitable vulnerabilities. Additionally, you need to know which ones are the biggest threats so you can address them first.
Then there is the issue of getting your developers to pay attention to these issues. Developers do not want to step outside of their preferred toolkit or stop working to fix potential issues. As long as the code works (regardless of potential threats), they just want to keep building. How do you even track if anyone is working on an issue and if/when it has been fixed?
There is a way to manage all of these tools and their disjointed results so you can streamline the application security testing process – an application vulnerability manager.
Code Dx Enterprise is an example of such a tool. It is not another testing tool – but it unleashes the true power of the testing tools you are using and provides a way to gain real value from the results. You get better vulnerability coverage and fewer false positives.
The value of the no-cost and low-cost open source tools is realized as the results form these tools are quickly correlated. This removes the time consuming, tedious, and error-prone process of weeding through these results manually.
A comprehensive application security testing process becomes achievable. Here are some features to look for in an application vulnerability manager:
- De-duplication – Duplicate results from the myriad of reports are automatically removed. You get one report with a single set of results. The tool works across multiple testing techniques, including SAST, DAST, IAST, third-party component analysis, threat modeling, and manual review.
- Remediation management – Identifies the specific lines of code where vulnerabilities exist and identifies neighboring flaws and vulnerabilities. A centralized console gives you the ability to assign, track, and monitor the progress of remediation.
- Workflow integration – What better way to get your developers to pay attention to security threats than by making it a part of their development environment? Integration with popular environments such as Eclipse makes it easy for developers to fix problems. A tool that embeds into Continuous Integration environments and integrates with the Jira issue tracking tool provides additional streamlining. Integration with the Jenkins build server allows you to kick-off analyses within Jenkins.
- Reporting – A wide variety of reports make it easy to sort through testing results and track how remediation is going. Reports on how long it takes to remediate issues enable you to make sure remediation is happening quickly.
- Application Vulnerability Correlation (AVC) – SAST tools identify potential vulnerabilities, while DAST tools identify which of those vulnerabilities are actually exploitable. Combining all of these results lets you know which threats are real and of the highest priority
- Compliance checks – Automatically check your codebase against regulations such as HIPAA, the DISA-STIG, and the PCI DSS. Violating lines of code are flagged, and the specific violation is identified. Suggestions are made to achieve compliance.
An application vulnerability manager takes the headache out of using various tools and techniques for security testing. You get comprehensive security coverage, but do not have to waste time and resources sorting through the results, identifying real threats, and tracking whether or not they are fixed.
Security is given the attention required by DevSecOps. You stay Agile rather than drowning in a sea of results.