AppSec Decoded: Continuous AppSec testing in DevSecOps with Seeker IAST

Video Transcript

Taylor Armerding 
Today we're going to be talking about another testing tool that can help in the ongoing struggle to improve software security without undermining speed and agility in development. Specifically, we're going to focus on the risks inherent in modern software development and DevSecOps environments, which include the increased adoption of micro services, serverless functions, and application program interfaces, or API's, which can make it difficult to identify all the endpoints involved in your system. And what makes it even more difficult is a lack of any common standards for APIs. 

But there is good news here, and that is that there are ways to mitigate the risks. And joining me to talk about the benefits of automated interactive application security testing tools, or IAST, is our go to guru on the topic, Kim Yeo, senior manager for dynamic AppSec solutions within the Synopsys Software Integrity Group. 

How does IAST fit into security testing?

Let's talk about how IAST fits into security testing. We know the development and security teams use tools such as SAST (static application security testing) and SCA (software composition analysis) to identify security weaknesses and vulnerabilities in their code, whether it's proprietary, commercial or open source. Where does IAST come into play with that?

Kimm Yeo 
Thank you very much, Taylor, for inviting me to today's session. And this is a very good question indeed. There are many different AST, which stands for application security testing tools. 

SAST and SCA tools are great for identifying flaws. And also to detecting any exploits in custom and open source code. All these are great and usually are being done during development and build integration stages. However they do not detect any unknown vulnerabilities. Those kind of vulnerabilities that only gets triggered during application runtime. This is where IAST comes in. It examines the entire application from the inside out, including the libraries and frameworks. So you get better coverage over the entire code base. And in addition to that, you will get insights into where it started from the application UI. You really do not need any special configuration nor any additional scans or manual test cycles to verify and triage the findings. And that is because it has this built-in instrumentation and agent technology. What it does is it allows Seeker, which is our tool, to track and verify and alert teams of critical findings in real time. IAST literally doubles as a security test, while the development and QA teams carry out their normal test cycle. It is really perfect for those who are doing agile development. Testing continuous testing, especially in the DevOps CI/CD environment.

Why do you need more than one AppSec tool?

Taylor Armerding 
We mentioned 4 tools: SAST, DAST, IAST, and SCA. Why is it so important to leverage that full spectrum of application security testing tools?

Kimm Yeo 
Very good question. I mean this is a very commonly asked question, like you know, why do I need one or another? Do I really need all of them? And guess what? We do believe in managing the overall application threat landscape holistically. There's really no silver bullet when it comes to application security, and I'm sure you know that Taylor. It depends upon the business objectives, right. And the application, how critical to the business is it that you need to secure? It could be a combination of internal and external facing applications. 

And on top of that, you also need to know what is your organization's acceptable risk tolerance, and do you have adequate resources, subject matter expertise on staff to help manage it. Most organizations will need a combination of static analysis tools, SCA, and dynamic testing solutions. It's why, at Synopsis, we continue to provide the broadest range of application security tools, solutions and services that can cater to the business.

What are key considerations for an effective API security strategy?

Taylor Armerding 
As we said at the top, API security is emerging as top of mind when it comes to securing the supply chain or the DevOps CI/CD. Online. So what are some key considerations for an effective API security strategy?

Kimm Yeo 
First thing, I want to acknowledge that it is true. API has quickly become the fastest growing attack surface. And I think there is a recent study that showed 90% of web applications have the most exposed surface area through APIs. And that's why it's really important to have a very strong strategy for how you're going to manage and handle API security.  

It's really an API economy going forward. There are organizations who assume that you can protect and block vulnerable APIs with just web firewalls or monitoring. But guess what? That's just the first step. It is really not enough to prevent rogue API's from infiltrating.  

API-based apps really need to be treated as a complete life cycle of their own, just like how we treat these software applications. First of all, you need to have proper API design with the right set of API policies built into your organization’s business risk and continuity program, you need to establish an internal inventory and have a catalog of all the APIs used in your application. These are all necessary to help establish the right risk assessment, classification and control.  

Once you have the API discovery and cataloging mechanism in place, you want to be able to dynamically monitor and track all the inbound and outbound call paths and test for potential exploits or sensitive data flow leakage. This last step is something which a lot of organizations are not quite there yet or aware of. It's really important to have some mechanism or solution that can help you to dynamically test, track, and detect the data flow of all these API endpoints.  

Ultimately, the goal is to build a good API strategy and control application with the highest risk factor, especially if you don't have the time and expert resources. So you definitely want some kind of a tool that can help you do that.

How does Seeker IAST help with API security?

Taylor Armerding 
That is a perfect segue into our last question, which is how does an IAST tool like Seeker identify potential exploits in API calls?

Kimm Yeo 
That's a very good question, Taylor. Seeker is really unique IAST. Unlike some of the solutions that's out in the market, it leverages the built-in API engine, and it can support multiple modern frameworks used in web, microservices, as well as cloud native applications.  

Some of the language frameworks include Go, GraphQL, Jira PC, as well as serverless functions from Azure and AWS Lambda, and all these are on top of the standard commonly used framework such as REST, JSON, and XML.  

The way it works is that Seeker will collect the common API specification, such as Open API, also formally known as Swagger, from applications that expose them and they use these specifications to automatically test and assess every endpoint in the APIs. And all this is done with no extra configuration required. There is no need to have the API specification if you don't have one, that's fine. Seeker can find them, download them from the application under test, and piggyback on normal traffic during the test to send requests and crawl the API. It tests for the OWASP top 10 vulnerabilities such as API authentication, authorization issues, as well as usage of any unverified JWT tokens or any JWT signature algorithm tampering, for example.

And here's something which is very unique about Seeker, which I'm very excited about. It has the ability to discover both tested as well as untested API's and the public catalog of all the vulnerable API endpoints. Besides giving a catalog, the teams can also get a visual map of attack patterns, with the vulnerable inbound and outbound calls. This is really useful and valuable, especially when teams perform taint analysis across hundreds of microservices they have running in the background. And we have customers who told us that they find this visual data flow map very valuable in their threat modeling exercise, and it helps cut down their pen testing time and effort.

There's a lot more capabilities that we're not going to be able to cover here. You know some of the capabilities are very common. You will find them in some of the other IAST tools too, such as integration of software binary, software composition analysis. In the case of Seeker, we also have integration with e-learning, which is really going to provide that contextual learning for developers on the go.  

I would really recommend to go download the IAST evaluation guide on the synopsis website. You're going to find a lot more capabilities highlighted and what some of the considerations you must have in your IAST selection.

Taylor Armerding 
That’s another good segue, Kimm, thank you. We're going to leave it there for our interview. But if you want to learn more about Seeker and IAST in general, Kimm Yeo has written a couple of blogs that are on our our website on continuous testing and cloud-native testing, which are among the reasons why Gartner has ranked synopsis the tops in the latest critical capability report.

Thank you once again, Kimm, we really appreciate your time, and thank you all for watching. Once again, you’ve been watching AppSec Decoded.  

I’m Taylor Armerding with the Synopsys Software Integrity Group, where we help organizations build trust into their software.