How To Improve AppSec Posture For Starters

 

In a world where the average cost of a single stolen record has reached 150$, it would definitely be a mistake to overlook the application layer where most of the attacks have been targeting lately. Unfortunately, investing solely in hiring people or forming application security departments  is not the right approach if you are to succeed in application security. Tools (to identify vulnerabilities), processes (to remediate identified and relevant vulnerabilities quickly) and training (to prevent same vulnerabilities in future) are where you need to focus your budget altogether and sidelining even one of these three will keep you from reaching the desired outcomes.

If you have not invested in application security tools at all and considering to do so these days,it is worth noting that there are lots of open source SAST (Static Application Security Testing) tools for various programming languages as well as DAST (Dynamic Application Security Testing), SCA (Software Composition Analysis) or even threat modelling tools . Although their output can be limited compared to the commercial alternatives, they can be seen as good stepping stones to test the waters in application security and see the benefits before investing in the commercial options. 

SAST tools that analyze the source code or binaries come into play for the purpose of pushing security tests to the earlier stages of software development life cycle and letting the developers find out vulnerabilities in the code to prevent costly fixes at later stages of development. Combining static testing tools with DAST tools  which run in production-like environments and mimic hackers’ behaviours to run outside in attacks to your applications, it is possible to create a flow where security tests feed the process throughout the development, testing and production stages. For further information on the benefits of using static and dynamic scanners in tandem, you may refer to our blog on .

You may also want to check out IAST (Interactive Application Security Testing) tools which offer a technique where information is gathered from within the application during a DAST attack. This method significantly brings down the number of false positives whereas there are still concerns on performance and privacy as it’s structure is agent-dependent. Nevertheless, vendors are working on improving their IAST solutions and it is seen as where DAST tools will evolve to in the future.

Software composition analysis (SCA) tools are also extremely helpful if you rely on  open-source components in your software development process. SCA tools check for the license and vulnerability statuses of open source components used in projects. Considering the growing use of third-party code in development, they are expected to be an integral figure in application security tests in the near future. The figures below from Whitesource’s The State of Open Source Vulnerabilities Management report indicate the rise in the number of vulnerabilities discovered in open source components. 

 

Number of vulnerabilities discovered in open source components

However, before adopting scanners there is one crucial process you better ponder on; threat modelling. When implemented properly, threat modelling definitely paves the way for accurate false positive elimination and vulnerability prioritization which can prevent you from spending time on fixing irrelevant vulnerabilities. Having a solid understanding of the underlying structure of applications will enable quick decisions on which vulnerabilities really matter and which ones can be left for later. Shortly, this stage is an important factor on the maximum value you can derive from the scanners you will use in the next stage. We know it is not an easy process and requires involvement from multiple departments to sketch out the architecture of projects, but we can ensure you that any time spent on it will pay-off in the future.

Below is a list of static, dynamic and  which you can start using immediately to start securing your applications. They will definitely make you think on ways to integrate security into your software development lifecycle which by all means will be a beneficial exercise for your organization. That way, you can automate manual processes between AppSec and DevOps and save your security engineers some precious time. On top of that, the findings of these tools will be guiding you on the security training programs for your developers, which is a crucial point to prevent new vulnerabilities from popping up in the future. 

Tool Type Programming Language Year of Last Update
Bandit  SAST  Python 2019
Brakeman SAST  Ruby on Rails 2019
Findsecbugs SAST Java 2019
Flawfinder SAST C, C++ 2017
Phpcs-Security Audit SAST PHP 2019
Security Code Scan SAST C#, VB.NET 2019
Clang Static Analyzer SAST C, C++, Objective-C 2016
LGTM.com SAST C, C++, C#, Java, Python, Javascript/Typescript 2019
Cppcheck SAST C, C++ 2019
Nikto2 DAST 2019
Vega/Subgraph DAST 2016
Wapiti DAST 2019
w3af DAST 2019
OWASP Zed Attack Proxy DAST 2019
Sonatype DepShield SCA Go, Java, Javascript, Rust 2019
OWASP Dependency Check SCA Java, C#, Python, Ruby, Node.js 2019
Sensiolabs Security Checker SCA PHP 2019
OWASP Threat Dragon Threat Modelling 2019
Clair Container Security 2019

Once you have your scanners up and running, it is time to get rid of the manual and tiring processes involved in application security by automating them as much as possible. Application security testing orchestration tools like our beloved Kondukto have a lot to offer when it comes to automating processes, including triggering and tracking scans on various scanners, consolidating results across scanners, opening and tracking the status of issues on issue managers, breaking the build if certain security criteria are not met or sending over weekly progress reports. Giving security engineers a unified view to continuously monitor what is going on in the application layer enables them to focus their effort on more productive and value added tasks like threat modelling, security research or creating AppSec schedules for projects.


Misconception about enlarging security teams to fix more vulnerabilities

 

After having your tools and processes in place, you think enlarging your security team is what you need to do to fix more vulnerabilities, right ? No matter how big your security team is, remediation almost always falls on the shoulders of software developers. So, do not invest in security teams if your end goal is to fix more vulnerabilities. However, if you care about prioritizing vulnerabilities and deciding which ones are truly relevant for your organization and your projects, only then security teams can come to your rescue. 

Even though the number of applications tested against security defects have increased by 20% in 2018 compared to 2017 this could only translate into lower remediation rates as outnumbered security teams fell short of dealing with increasing number of vulnerabilities. 

Therefore, raising security awareness of development teams and making them an integral part of secure software development life cycle is what is needed for a speedy remediation and high remediation rates. In fact, this is what DevSecOps is about, involving both development and operations teams to create secure applications right from the design stage until the post deployment.