There’s no single silver bullet for application security. Instead, you need a combination of application security tools and services. Here’s an overview.
Is there a silver bullet when it comes to application security?
In my job role, I am very fortunate to meet hundreds of application security and development teams here in North America as well as overseas. Many of these teams face resource constraints and are overwhelmed with the tasks they have to execute and manage. At the same time, they are inundated with messages from vendors selling both proactive (SAST, DAST, IAST, SCA) and reactive (WAF, RASP) application security tools and services.
Most vendors claim that their products are a universal panacea. Some even claim that theirs should be the only tool of choice. In this post, I’ll provide some clarity around which application security tools and services to use, though this is by no means a thorough analysis of all the pros and cons of various types of security tools.
The Venn diagram below depicts the universe of all application security vulnerabilities that a hacker might be able to exploit. I broadly classify these vulnerabilities into three categories based on detection technique: statically (SAST), dynamically (DAST), or by humans (pen testing). Yes, some vulnerabilities can be found only by humans. No automated tool can find them all. For instance:
These types of tests are still the domain of humans, though AI might be able to detect some of these issues in the not-so-distant future.
Also, note that I have added an overlay for interactive analysis (IAST), which requires special mention as it straddles the boundaries of traditional static and dynamic security testing.
Static analysis (SAST) tools analyze source code or binary code to identify application security and quality issues. The simplest tools perform pattern matching. More sophisticated tools, like Coverity, perform path simulation with interprocedural analysis. In other words, they simulate the inner workings of a running application. These are very effective tools to perform a baseline security analysis of the entire codebase. Some, like Coverity, can also run on the developer desktop and perform fast, incremental analysis to provide results within seconds. Desktop analysis reduces the round-trip time by allowing developers to identify and fix issues quickly before code check-in.
Dynamic analysis tools perform either black box (DAST) or white box (IAST) interactive analysis. The black box approach only inspects application requests and responses, whereas the white box (or interactive analysis) approach also analyzes code execution and dataflow.
We can further categorize these tools as active or passive. Active tools alter the requests sent to the application to elicit a certain response. Passive tools don’t, so they’re limited in their analysis capabilities. For instance, they can’t test whether a vulnerability is exploitable or a sanitizer is effective. Passive tools therefore need to be configured to reduce noise.
It depends on your risk appetite, business objectives, and team needs and constraints, including cost, time, resources, compliance, and so on.
If your organization is just starting its application security journey, IAST can provide a quick win. It gives you the most bang for your buck. It reports high-value vulnerabilities with less noise. Then, as you mature your application security program, you can use SAST to shift left to the furthest point—that is, the developer desktop.
In addition, if your organization is going through an agile transformation, has a DevOps pipeline, and wants to run security tools inline, IAST is a natural fit. IAST provides the most value with the least overhead and friction.
However, for organizations that are compliance driven, SAST has an advantage over IAST. SAST provides deterministic results that you can track and verify. Each time you run a scan, the SAST tool analyzes the entire codebase and follows the same set of processes and analysis techniques to produce predictable, comprehensive results. Furthermore, SAST enables simplified vulnerability life cycle management.
In heavily regulated industries, DAST or external pen testing is a must. It provides a system of checks and balances. While all these other tools empower internal teams, they also require the teams to follow certain processes and guidelines to implement an effective solution. However, DAST and external pen testing provide an independent and objective way to perform security assessments and can also help externalize that responsibility.
I’d be remiss if I didn’t mention software composition analysis (SCA). No matter which combination of SAST, DAST, and IAST you use, SCA capability is a must. SAST, DAST, and IAST primarily look for unknown vulnerabilities, whereas SCA looks for known vulnerabilities. Known vulnerabilities appear in the third-party code you use; they’re already known to the public and most likely have a CVE assigned to them. To make matters worse, these vulnerabilities have known exploits, which makes your applications an easy target. An application security leader once told me, “I won’t get fired if a nation-state hacks us, but I will definitely get fired if a college kid hacks us.” When you choose an SCA tool, ensure that it provides timely vulnerability updates so that you can implement an active vulnerability management program to address newly discovered vulnerabilities.
At Synopsys, we understand that there is no silver bullet. That’s why we continue to invest in all our flagship offerings: Coverity (SAST), Seeker (IAST), Managed Services (+DAST), Black Duck (SCA), and Defensics (fuzzing).