IAST supports AppSec efficiencies while cutting costs and headaches
|Asma Zubair in Security Monday, November 26, 2018|
Interactive Application Security Testing is helping DevOps teams implement security more efficiently and with less of the headache of older methodologies.
It’s easy to feel passionate about interactive application security testing (IAST) in the world of application security. You see, IAST makes security testing almost invisible. It’s not something that requires a highly trained team to be brought in to carry out and analyze testing results. It doesn’t hold up other teams or processes from moving forward. Rather, IAST does security testing transparently, in the background. In other words, IAST finds security vulnerabilities during application testing, a standard step in any software development life cycle (SDLC).
IAST achieves this through application instrumentation, a technology that is also used in code coverage and performance monitoring tools. IAST solutions instrument applications by deploying agents and continuously analyzing all application interactions initiated by manual tests, automated tests, or a combination of both to identify vulnerabilities in real time.
Consider any SDLC methodology. Developers write code, they move ahead to unit testing and functional testing, and from there they push the code into production. IAST doesn’t require users to conduct any additional work (in the form of scanning or extensive configuration) to be able to report application vulnerabilities; thus, finding vulnerabilities seamlessly during the testing phase.
IAST thrives in a DevOps world
In terms of DevOps, time is critical. For this reason, security testing methods such as DAST don’t align because they take a long time to run, slowing down the CI/CD pipeline. The reason that IAST suits DevOps practices is that it provides real-time results. It doesn’t require development teams to take on any additional work and doesn’t require scans that hold up the pipeline. At the same time, top IAST tooling solutions provide very accurate results with false positive rates of nearly zero percent.
Due to these attributes, IAST becomes a critical ingredient in DevSecOps process.
IAST and GDPR
While it’s important that security not negatively impact development velocity, there are also data privacy considerations at play. GDPR, for instance, requires data protection by design and by default. IAST supports GDPR compliance by making it easy to perform security testing to protect data handled by applications.
GDPR also requires organizations to make a clear statement to users informing them how their information is being used and stored. Many firms struggle with this since, to be quite honest, they don’t confidently know how user data is being used and/or stored. IAST can resolve this struggle by clearly tracking such information, allowing firms to confidently share how user information is being handled while knowing that it isn’t being exposed.
Augmenting a DAST program through IAST
One customer with whom I’ve worked closely had an internal security team that was using ad hoc means to carry out security testing. When a new release was nearly ready to roll out, they would take a good amount of time to conduct security testing on the build, producing results and resolving the identified vulnerabilities before the new release was prepared to move into production.
This would put a good deal of pressure on security teams, slowing the time to market, all while presenting an approach that wasn’t scalable.
By adopting IAST, they could automatically test for security flaws and reduce the frequency of other security testing methods such as DAST. Additionally, IAST integration reduced the workload and supported shorter release cycles.
Augmenting a penetration testing program through IAST
Another customer that I worked closely with was conducting ad-hoc testing, carrying out penetration testing every 18 months - each engagement taking four days to complete. These penetration testing engagements turned up hundreds of high-risk vulnerabilities. Such findings take time to fix.
Since these vulnerabilities were identified later in the development lifecycle, they took even more time to fix than they would have if identified earlier in the process - not to mention that they’re much costlier to resolve when found later in the SDLC.
After implementing an IAST solution, this customer significantly reduced the length of each penetration testing engagement since IAST identifies vulnerabilities seamlessly during application testing, allowing the team to find and fix each issue early in the development process. In addition, their penetration testing engagements were reduced from four days to one and a half days.
IAST plays well with other methods of security testing
For the best security testing results, employ a full testing suite. It’s important to test your applications in their entirety - testing all areas of functionality, including open source components. Top IAST solutions work well with CI/CD pipeline tools because this technology offers accurate results in real time. Additionally, leading IAST tools offer robust APIs for integration. Some IAST solutions integrate software composition analysis (SCA) tools to address known vulnerabilities in open source components and frameworks.
To keep pace with the demand for rapid web application development, organizations need accurate, automated security testing tools that scale to process hundreds of thousands of HTTP requests while returning results with low false positive rates.
At the same time, security and development teams need application security tools that find vulnerabilities and enable developers to fix them early in the SDLC, when developers are most familiar with their code and errors and vulnerabilities are least costly to fix from a resources and security risk posture perspective. Static application security testing (SAST) and SCA tools are typically used during the development stage, while IAST is used during the test/QA stage. IAST results are fed back to developers who then fix identified vulnerabilities during the development stage.
Summing it up
According to the 2017 Verizon Data Breach Investigations Report (DBIR), 29.5% of breaches are caused by web application attacks - by far the most common vector. Web applications are the attack surface of choice for hackers attempting to break through to get access to sensitive IP/data and personal data (e.g., usernames, passwords, credit card numbers, and patient information).
Organizations should ensure that their web applications are secure, ideally before they are deployed in production when they could be at risk of security attacks and costly data breaches. Further, developers need enough context from security testing tools to be able to reproduce, fix, and verify vulnerabilities quickly.
While development and security teams often use DAST, SAST, and SCA solutions to identify security vulnerabilities in proprietary and open source code in their web applications, they are often unable to effectively prioritize and remediate all critical issues in a timely manner. This is due to a lack of context, a high false positive rate, or high overhead involved in the security testing process.
IAST identifies security vulnerabilities in running applications while providing developers with the relevant lines of code and contextual remediation advice they require. That way, they can find and fix critical security vulnerabilities quickly, before web applications go into production, also lowering the risk of security attacks that result in data breaches.
This content is made possible by a guest author, or sponsor; it is not written by and does not necessarily reflect the views of App Developer Magazine's editorial staff.