Application Security Testing (AST) Tools¶
What is...¶
Static Analysis or Static Application Security Testing (SAST)?¶
SAST uncovers software bugs by analyzing source code. The defects identified are known unknown risks such as CVEs. Because static analysis solutions require source code, they are able to provide prescriptive remediation advice, down to the line of code. Static analysis can also be introduced earlier than most tools in the software development lifecycle, lowering cost and effort for remediation. Refer to this blog for more information.
Software Composition Analysis (SCA)?¶
Software Composition Analysis (SCA) is a relatively new industry term for a set of tools that provides users visibility into their open source inventory. Despite its misleading name suggesting access to all aspects of the source code (proprietary, third party commercial and open source), software composition analysis in effect acts as an open source management tool only.
SCA looks at your open source packages and checks to see if you're using anything with known vulnerabilities and flags those components. Refer to this brief for more information.
Dynamic Application Security Testing (DAST)?¶
Dynamic analysis security testing (DAST) is an application testing method whereby a security solution monitors the target program while executing on real inputs. For example, valgrind is a type of dynamic analysis solution that looks for memory errors while a target runs.
Interactive Application Security Testing (IAST)?¶
Interactive application security testing (IAST) analyzes software code for security vulnerabilities while the app runs. It combines dynamic application security testing (DAST) and static analysis security testing (SAST) techniques. Thereâs two types: Active and Passive. Both require an agent within the application for testing. Active is designed to validate an existing vulnerability. Passive, will leverage any form of functional testing, and will listen in on those tests and report any findings, making it suitable for DevOps environments.
Advanced Fuzz Testing (AFT)?¶
The defects that AFT tools identify are unknown unknown risks. AFT âthinks like a hackerâ to uncover new defects utilizing unknown or uncommon attack patterns. After each simulated attack, they monitor and leverage its targetâs reactions, or behaviors, as feedback to autonomously generate new test cases that are increasingly likely to uncover more defects and new code edges. Refer to this whitepaper for more information.
Concolic execution?¶
Concolic execution is a form of dynamic symbolic execution and a type of analysis that runs on a trace of a program that ran (for real) on a specific input. We technically only do concolic execution, not static symbolic execution. We don't do static symbolic execution, which is what someone might mean when they say "symbolic execution", but when we say it we mean in the more general sense of "static or dynamic symbolic execution", of which we do one of those things.
Symbolic execution?¶
"Symbolic execution" usually means "static symbolic execution", in which you analyze a non-executing program to consider how it might behave when it does execute for real. Symbolic execution is a program analysis technique that uses formal computer science methods to determine an input that triggers a node in the application to execute. Once determined, the valid input is used to derive invalid inputs for negative testing. Refer to this video for more information.
Behavior testing?¶
Security testing that is focused on the behavior of the software rather than the actual lines of code.
Penetration testing?¶
A penetration test, or pen test, is an authorized cyberattack on a computer system. It is performed as a means of evaluating the overall security of that system, often with limited prior knowledge of the test. This is not to be confused with a vulnerability assessment which looks for known vulnerabilities in a system. Penetration testing services are typically time-boxed.
Can I...¶
Replace my SAST with AFT?¶
Secure development practices call for the use of various testing techniques throughout the development lifecycle. SAST, SCA, and AFT strategically offer strength in each techniqueâs limitations, offering comprehensive application testing across the spectrum of software security risk. Refer to this whitepaper for more information.
When would I...¶
Use an AFT over SAST or SCA?¶
AFT not only uncovers defects at run time, but also produces artifacts like test suites and reproducible defects that can be used to provide necessary context to fix them, something not provided by SAST or SCA solutions. Your choice will depend on your needs and many organizations opt to use a combination of solutions as they each have their own strengths and weaknesses. For example, if you have a lot of custom code and develop your own libraries, an SCA tool, targeted at cataloguing vulnerabilities in open source software, wonât be a great fit for your environment while a AFT or SAST solution would be a good place to start. You should use AFT alongside SAST and/or SCA for complete SDLC coverage. Refer to this brief for more information.
Use AFT over penetration testing?¶
AFT can be continuous where a pen test is usually defined by the period of the contract. Guided AFT can expose more code coverage than a pen tester, depending on their experience. And continuous AFT can be much more cost effective than hiring a team of pen testers.