According to a mid-2014 study conducted by the Ponemon Institute, 43 percent of companies have experienced a data breach in the past year. This is an increase of 10 percent from the previous year. With cyber security threats continuing to grow, it is essential that companies take the necessary steps to ensure the applications that they build, as well as the ones that they buy, are void of any weaknesses that could result in vulnerable data. Application Security Testing (AST) tools and methodologies are becoming more widely adopted by software developers and penetration testers to identify holes in software applications. Static Application Security Testing (SAST) is a popular method used throughout the software development lifecycle where the application source, byte or binary code is analyzed for any weaknesses. SAST tools are also referred to as white box testing tools.
Dynamic Application Security Testing
Another methodology is Dynamic Application Security Testing (DAST) which is considered the black box method. DAST tools analyze applications in real-time while the application is running. This penetration testing technique is typically performed as a gateway acceptance layer in the run-up to production deployment. Testers usually have no access or knowledge of the inner workings of the application prior to the testing and attempt to exploit any potential vulnerabilities by malicious attackers. Essentially, these tools look from the outside in, simulating attacks against the application and analyze how the application behaves. Based on the reaction, the testers are able to identify vulnerabilities. There are a wide range of DAST tools on the market – both commercial and open-source solutions. When selecting these tools, there are a number of key items to evaluate according to the Department of Homeland Security. They include:
- Test coverage and completeness
- Accuracy or “false-positive” rate
- Capacity and “freshness” of vulnerability database
- Ability to create custom tests
- Ease of use
- Reporting capabilities
Some DAST tools may also offer more sophisticated functionality to help further ensure an organization’s applications are void of any potential security threats. These advanced capabilities include such items as the ability to create and enforce organization security policies, develop custom rules and automate scheduling of application security tests, as well as provide a comprehensive vulnerability database that attempts to address zero-day attacks. The market is saturated with application security testing tools and no one tool will be able to identify all of the weaknesses in an application. Code Dx helps organizations easily combine, normalize and prioritize the results of multiple application security testing tools and efficiently mitigate vulnerabilities. Additionally, the Code Dx team has developed a free OWASP solution, called Code Pulse, to provide insight into real-time code coverage of penetration testing activities. For more information on Code Dx, contact us at [email protected] or at (631) 759-3993.