Tackling Application Security in an Environment of Constant Development

When SAST and DAST are used together, organizations can capitalize on benefits that cannot be achieved through one testing method alone.

gettyimages 580501673
NTT

By: Chris Leffel

In a recent article, we talked about five major trends creating security challenges for companies developing and deploying applications. The accelerating rate of development and deployment is one of them with companies pushing out multiple updates per day, even as cybersecurity professionals struggle to keep up with the pace of change. This leads to an increase in vulnerabilities.

Application security is a real problem for organizations. About 63 percent of all manufacturing apps and 52 percent of all healthcare apps have at least one serious exploitable vulnerability open throughout the year, according to the May 2021 edition of NTT’s Application Security’s AppSec Stats Flash report.

Leave SAST in the past

One good way for companies and their security teams to keep up with the accelerating pace of app development – an environment whose development is becoming constant – is to embrace a concept called dynamic application security testing, or DAST. DAST tools automate the testing, analyzing and reporting of security vulnerabilities throughout the app development process.

Does this mean SAST gets left behind? Not exactly. Static application security testing or SAST is the process of reviewing the app’s source code to identify vulnerabilities. A SAST tool will scan the source code before an app goes into production.

The problem with using only SAST is that developers can ship flawless code in their apps, but then have vulnerabilities show up in production. And security research suggests that SAST tools will find only a fraction of an app’s vulnerabilities. It’s impossible to predict the entire universe of interactions between the millions of assets connected through APIs and the integrations with other apps and enterprise IT systems. APIs, in particular, are a growing attack vector for cybercriminals. Gartner projects that APIs will become the most-frequent attack vector resulting in data breaches for enterprise applications in 2022.

With static testing, developers focus on securing what they “own” and move on. Unfortunately, they then miss the opportunity to test for vulnerabilities that actually show up in an operational system. This should not be surprising; developers in general are more focused on the end users of their apps, not security.

DAST to the future

In contrast, DAST tools focus on the entire attack surface of an app by continuously and dynamically testing web, mobile and API applications. Many organizations will use DAST as an addition to, not a replacement of SAST. The two complement each other, so it’s not a one or the other scenario.

The more tests, the better, and even with the need for speed, companies should be running security tests like SAST and DAST during the development phase, during the build phase, and during the production phase.

It’s important to note that DAST, in contrast to SAST, tests code once it’s running. DAST mimics the action of a hacker, trying to break into an app. A security team using DAST tools and methods will adopt the perspective of the adversary to find weaknesses and help the organization remediate them before they can be compromised.

As a result, DAST runs a comprehensive security check on an app before it goes into production. Using automation, the testing happens fast, not slowing the whole process down. Given that some companies are pushing out app updates several times a day – sometimes hourly – a modern security check needs to keep up with the speed of development. Security needs to be an enabler, not an obstacle.

App development with DAST

DAST fits in nicely with a DevSecOps approach to development, where developer, security and operations teams are integrated and working together throughout the app development and deployment lifecycle. Using DAST tools, the DevSecOps team works together to develop secure and functional apps.

Traditionally, SecOps and DevOps teams, when operating independently, often have conflicts as they operate with their own processes and tools. To develop secure apps, organizations need to move beyond traditional methodologies and adopt a new approach that bridges the gap between security operations and development.

Implementing DAST will help a company determine the security posture of applications running in production and how they will likely interact with end users. With its automated and frequently updated tool set, it is an important way for development teams to keep up with the ever-changing app development process and the new tricks that adversaries use. DAST finds the actual vulnerabilities that put an organization and its end users at risk.

The bottom line is that too much emphasis has been put on SAST leaving apps vulnerable in production. DAST addresses this gap. When SAST and DAST are used together, organizations can capitalize on benefits that cannot be achieved through one testing method alone. A robust testing model will give enterprises new insights into the vulnerabilities of their apps and surrounding IT systems, thus resulting in fewer app vulnerabilities and breaches.

To learn more about DAST, download the DAST to the future whitepaper

Related:

Copyright © 2021 IDG Communications, Inc.