Types of Application Security Testing
As we are getting more reliant on various applications to make our life easier or make business processes efficient, the threats have certainly increased to the extent that not considering security during the development of an application may cause irreparable damages. To minimize the chances of an application from being attacked as well as subsequent damages – reputational as well as financial, application security testing holds more importance than ever.
Security mechanisms can be incorporated right from the initial stages of the development, while they can also take the form of security testing activities after the development phase but before the deployment. To achieve the highest level of security, businesses are slowly moving towards incorporating security practices in the development as well as after the development. Security testing for applications is commonly known by two types – static application security testing (SAST) and dynamic application security testing (DAST). However, if we explore various tools and techniques related to application security testing, there is much more to application security testing than SAST and DAST.
Figure 1: Application Security Testing
SAST and DAST
SAST focusses on the actual code of the application while DAST checks for vulnerabilities when an application is in run-time. DAST is a form of black box security testing wherein the testers do not know the underlying architecture of an application.
On the other hand, the testers in SAST, a form of white-box testing, are very much familiar with how the code has been developed. We have seen lately that the developers perform SAST while the external testers perform DAST. You can read more about DAST v. SAST. For better results, one cannot be chosen over another, and hence, both must be performed simultaneously to ensure that all the open ends are covered.
Software Composition Analysis (SCA)
The application of SCA is limited only to open-source components, and they are unable to detect vulnerabilities in the in-house components of an application. However, they are highly efficient at finding vulnerabilities in the open source components by examining the origin of existing components, and libraries within the software. Also, they advise whether a component is outdated or there is a patch available.
Generally, SCA tools use the CVE database as a source, and some commercial tools may use proprietary sources to provide detailed descriptions.
Database Security Scanning
Application developers depend heavily on various databases to ensure that their application is properly communicating with them, and the desired actions are performed. Although databases are not considered a part of an application, they should not be ignored when an application security testing activity is being conducted. Dedicated database security scanning tools check for patches, versions, access control levels, weak passwords, etc.
Interactive Application Security Testing (IAST)
Hybrid approaches have been around – combining SAST and DAST – but the cybersecurity industry has recently started to consider them under the term IAST. IAST tools can check whether known vulnerabilities (from SAST) can be exploited in a running application (i.e., DAST). These tools combine knowledge of data flow and application flow in an application to visualize advanced attack scenarios using test cases which are further used to create additional test cases by utilizing DAST results recursively.
In a high-paced DevOps environment, IAST tools fit well and have an efficiency better than DAST tools as the number of false positives is reduced.
Mobile Application Security Testing (MAST)
MAST is a blend of SAST, DAST, and forensic techniques while it allows mobile application code to be tested specifically for mobiles-specific issues such as jailbreaking, and device rooting, spoofed Wi-Fi connections, validation of certificates, data leakage prevention, etc. Many MAST tools cover OWASP top 10 mobile risks such as
- Improper platform usage
- Insecure data storage
- Insecure communication
- Insecure authentication
- Insufficient cryptography
- Insecure authorization
- Client code quality
- Code tampering
- Reverse engineering
- Extraneous functionality
In application security testing, false positive pose a significant challenge. Using correlation tools, the testers can reduce some of the noise by creating a central repository of findings from other application security tools. When different types of findings from different application security tools are brought together, correlation tools analyze the results and prioritize the findings so that it is easier for the application testing team to deal with false positives.
Test–coverage analyzers are more like a tracking tool for the application security team to measure how many lines of code out of total lines of code have been analyzed. The result is presented in the form of a percentage of coverage, and these tools are really useful when large applications are being developed as acceptable levels of coverage can be agreed upon before the development starts and then it can be compared with the results of a test-coverage analyzer to accelerate the development process. This functionality is incorporated into some of the SAST tools. However, standalone tools also exist for niche use.
Application Security Testing Orchestration (ASTO)
This term was coined by Gartner in 2017. The idea behind application security testing orchestration, or ASTO, is to bring all the application security tools under a centralized and coordinated management system where reporting from all the tools are visualized so that automated testing shifts towards becoming ubiquitous without any hassles.
Penetration Testing for ISO 27001 Control A.12.6.110 Sep, 2019