You’ve accepted the importance of application vulnerability testing to ensure the security of your software. That’s good. There are many options available when it comes to application vulnerability testing software, so it can become confusing to know which tools are the right ones to use. Different tools identify different problems when it comes to application vulnerability testing, so you need to consider using more than one. This makes it important to have a general understanding of the different types of tools, and why they are important.
There are many tools available to you, both open source and commercial products. Open-source tools are free and available for anyone to download. This makes them a convenient and low-cost method of testing – and a good way to get started. Commercial tools, on the other hand, are licensed, usage is restricted, and, of course, they must be paid for. However, part of what you get with commercial tools is technical support and increased security. Commercial tools are also typically more advanced, with more capabilities. Both open source and commercial application vulnerability testing tools have their value and place, yet statistics show that many organizations are not getting the most out of these tools.
A recent SANS survey found that 10% of enterprises are not testing their applications for security at all, with another 24% testing once per year or less. Additionally, only 12% are testing on a routine basis.
These gaping holes in application vulnerability testing leave organizations open to security threats that can easily be avoided. Businesses need to be more comprehensive in their application vulnerability testing. While both open source and commercial testing tools can help, tools can be further broken down into specific types, helping organizations understand what each kind of tool brings to the table. A proper application vulnerability testing strategy can then be formulated and deployed.
Static Application Security Testing (SAST) Tools
The first type of application vulnerability testing tools we will discuss are Static Application Security Testing (SAST) tools. SAST tools are also referred to as Source Code Analysis tools or White Box testing. These tools examine the source code, byte code, or application binaries for security vulnerabilities.
SAST tools are valuable for application vulnerability testing for several reasons. Specifically, they provide the following benefits:
- They find theoretical issues, looking for known patterns of vulnerability that developers may not be aware of
- You can automate the testing process, because you can scan code without the need for human intervention
- They are scalable
- They are ideal for problems that can be found automatically with high confidence, such as SQL Injection Flaws. It is important to note here that while there are tools and techniques to help prevent SQL injection attacks, they are not always implemented correctly, if at all, making this one of the top attack vectors for database-driven applications.
- Output is easily digested by developers, since these tools identify the exact location in the code where problems exist
There are, however, some weaknesses with SAST tools to keep in mind. The main issues to be aware of are:
- SAST tends to identify a high number of false positives
- Results need to be triaged, requiring time to analyze and prioritize the findings
- Many vulnerabilities, such as authentication issues, are not easily found automatically. It is hard to prove if a ‘problem’ found is a verifiable security threat
- Many SAST tools do a poor job analyzing code that cannot be compiled, so you need the complete and buildable source code package
- SAST can be time consuming and potentially have a negative impact on Agile development, and its associated rapid development cycle
As you explore the market for SAST tools, a few of the big names you will encounter are Fortify SCA (Static Code Analyzer), CodeSonar, Veracode, and Checkmarx. These are all reputable names in the market, and the pros and cons discussed above should be considered as you evaluate these tools for your testing needs.
Dynamic Application Security Testing (DAST) Tools
The next main type of application vulnerability testing tools are Dynamic Application Security Testing (DAST) tools. Also known as Vulnerability Scanning tools or Black Box testing, DAST tools approach the application from the outside, like a “robot hacker,” searching for vulnerabilities. DAST tools are important for application vulnerability testing because they:
- Examine the application while it is running, trying to act upon it in unexpected ways to expose potential vulnerabilities
- Mimic an attacker with little knowledge of the application, simulating an external hacker
- Provide for an automated testing process, because they run independently of human assistance
- Offer scalability
Among the disadvantages of DAST tools are:
- They require a running application, so you can’t use them until your application reaches that level of completion
- Using them later in the development cycle makes them less ideal for identifying and correcting issues earlier in the development process
- Identifying threats can take longer, as you may need to manipulate the tools to get them to cover as much of the application’s code as possible
- They may not sufficiently mimic an attack by someone who has some internal knowledge about the application, which an advanced hacker may be able to achieve
Big names in the DAST space include both commercial and open source tools like BurpSuite, HP WebInspect, OWASP ZAP, and Appscan. Just as with SAST tools, advantages and disadvantages must be considered when selecting which DAST tools are best for your application.
Interactive Application Security Testing (IAST) Tools
As we move up in sophistication, we come to Interactive Application Security Testing (IAST) tools, which combine SAST and DAST. IAST tools – also known as Glass Box testing – use instrumentation technology to leverage information inside the application, while it is running, to find vulnerabilities.
IAST tools bring a lot of benefits to application vulnerability testing, enabling testers to:
- Find vulnerabilities more accurately, resulting in fewer false positives
- Provide more comprehensive coverage of the application code
- Scale testing as needed
- Provide instant feedback to developers, so issues can be addressed promptly
- Incorporate testing easily into the development process
The disadvantages of IAST tools are:
- The instrumentation can negatively affect application performance, so your testing experience may not be the same as your actual user experience
- They represent a relatively newer technology, so other potential issues or weaknesses may arise
Some vendors offer tools for both approaches, but they are typically delivered as two separate tools. There are a few players that are now offering an integrated solution, such as Acunetix, HPE, and IBM, making them excellent tools to incorporate into application security testing.
Threat Modeling Tools
Threat modeling tools are another resource for application vulnerability testing. Threat modeling is a process through which potential vulnerabilities are identified, assessed, and prioritized. There are numerous approaches that can be taken, which are detailed below, and testing is done from the point of view of a potential attacker. Threat modeling saves time and resources by identifying the threats and vulnerabilities that should receive the most attention, and locating the areas most vulnerable to an attack.
Some of the most common threat modeling tools include:
- STRIDE – Categorizes known threats according to the various motivations an attacker may have, such as tampering with data or identity spoofing.
- DREAD – Compares and prioritizes the level of risk associated with each known threat.
- Trike – A framework that uses a risk-based approach.
- AS/NZS 4360 – An Australia/New Zealand standard that was the first (and still one of the only) standards for documenting and managing risk.
- Common Vulnerability Scoring System (CVSS) – An industry standard for assessing the severity of threats and vulnerabilities.
- OCTAVE – A model that focuses on organizational risk more than technical risk.
- ThreatModel SDK – A Java library that enables vendors to analyze reports from the most common threat modeling tools.
The specific threat modeling approach taken is not nearly as important as ensuring that at least one approach is selected, and carefully executed, as part of the testing process.
No discussion of application vulnerability testing is complete without mentioning manual testing: good, old-fashioned code review. Good development teams should be performing code review as a standard development process to ensure quality code, but a security mindset should be incorporated into that. Adding security checks into your code process, which may involve other people with specific understanding of the issues, can make it challenging to keep your Agile development workflow moving while still looking out for security threats and potential vulnerabilities.
Manual code review typically begins with security testers receiving a briefing on the application from developers. A plan is then developed based on the time, resources, and budget. The goal should be to use testers according to their area of expertise, having them test those areas in which they are most knowledgeable. All findings must be reviewed for false positives, and true positives shared with the development team.
Manual testing produces fewer false positives, and can identify issues that automated tools missed. However, this testing is also hard to scale, given the (human) resources required.
A blended approach is best
An overview of the different application vulnerability testing tools quickly demonstrates that each type of tool has strengths and weaknesses. This is why testing with only one tool or one kind of tool leaves your application exposed to increased risk. A blended approach that leverages tools from multiple categories provides the best coverage and reduces the risk for your application. As you move forward and create a formal strategy for application security testing, the OWASP Benchmark is a valuable resource for evaluating various types of testing tools. This will aid you in selecting the best ones for your application and business.