Interactive application security testing (IAST) and software composition analysis (SCA) are both powerful technologies for your software security program.
Two powerful yet relatively new technologies in application security testing are interactive application security testing (IAST) and software composition analysis (SCA). IAST solutions are designed to help organizations identify and manage security risks associated with vulnerabilities discovered in running web applications using dynamic testing (a.k.a. runtime testing) techniques.
SCA, a term coined by market analysts, describes an automated process to identify open source components in a codebase. Once a component is identified, it becomes possible to map that component to known security disclosures and determine whether multiple versions are present within an application. SCA also helps identify whether the age of the component might present maintenance issues. While not strictly a security consideration, SCA also facilitates legal compliance related to those open source components.
According to Verizon’s 2018 Data Breach Investigations Report, web application attacks still remain the most common vector for data breaches. Web applications are the attack surface of choice for hackers attempting to get access to sensitive IP/data and personal data, such as usernames and passwords, credit card numbers, and patient information. Organizations need to ensure that the web applications they develop are secure, ideally before they are deployed in production, and developers need to be able to perform quick fixes when critical vulnerabilities are discovered.
Web applications are seldom composed exclusively of proprietary code. In fact, the converse is usually true, with open source code components ubiquitous in both commercial and internal applications. The 2018 Open Source Security and Risk Analysis (OSSRA) report published by the Synopsys Cybersecurity Research Center (CyRC) found open source components in 96% of 1,100 applications scanned, with an average 257 components per application. Because organizations are often unaware of how much—or even what—open source they’re using, they can inadvertently provide attackers with a target-rich environment when vulnerabilities in open source components are disclosed. Seventy-eight percent of the codebases examined for the OSSRA report contained at least one open source vulnerability, with an average 64 vulnerabilities per codebase.
While development and security teams often use SAST (static application security testing) and SCA solutions to identify security weaknesses and vulnerabilities in their web applications, detection of many vulnerabilities is only possible by dynamically testing the running application, which led to the development of dynamic application security testing (DAST) tools. Despite similarities to traditional DAST and penetration testing tools, IAST is superior to both in finding vulnerabilities earlier in the software development life cycle (SDLC)—when it is easier, faster, and cheaper to fix them. Over time, IAST is likely to displace DAST usage for two reasons: IAST provides significant advantages by returning vulnerability information and remediation guidance rapidly and early in the SDLC, and it can be integrated more easily into CI/CD and DevOps workflows.
IAST generally takes place during the test/QA stage of the SDLC. With IAST effectively shifting testing left, problems can be caught earlier in the development cycle, reducing remediation costs and release delays. The latest-generation IAST tools return results as soon as changed code is recompiled and the running app retested. By focusing testing on a narrow set of changes, developers can quickly identify vulnerabilities even earlier in the development process.
IAST does analysis from within applications and has access to application code, runtime control and dataflow information, memory and stack trace information, network requests and responses, and libraries, frameworks, and other components (via integration with an SCA tool). The analysis allows developers to not only pinpoint the source of an identified vulnerability but also address it quickly.
IAST solutions are dependent upon their ability to instrument code, which means their capabilities are dependent upon the application’s programming language. You’ll want to select an IAST tool that can perform code reviews of applications written in the programming languages you use and that is compatible with the underlying framework used by your software. Obviously, it should deploy quickly and easily, with seamless integration into CI/CD workflows. Compatibility with any type of test method—existing automation tests, manual QA/dev tests, automated web crawlers, unit testing, etc.—is another feature to look for.
The best IAST tools provide DevOps teams with the ability to both identify security vulnerabilities and also inform as to whether that vulnerability can be exploited. Any modern IAST tool should include web APIs that enable DevOps leads to integrate testing into continuous integration builds like those using Jenkins. Native integration with defect management tools like Atlassian Jira provides for streamlined defect management workflow.
With the prevalence of open source code in today’s software, effective IAST tools need to be aware of the open source composition of the applications being tested. Open source compositional analysis is the responsibility of an SCA tool. This requires the SCA tool to have a deep understanding of open source development paradigms and produce a comprehensive inventory for the open source dependencies regardless of how each dependency is linked into the application.
Understanding whether an open source vulnerability is exploitable within a given application requires an understanding of whether the vulnerable component is present, how an exploit of the vulnerability operates, and how the application uses the component. Only a combination of top-tier IAST and SCA tools can effectively identify this class of software risk and guide developers to resolution. An integrated IAST and SCA solution helps development teams build more secure software, minimize risks while maximizing their speed and productivity, and improve the quality of their software.
Tim Mackey is a principal security strategist within the Synopsys CyRC (Cybersecurity Research Center). He joined Synopsys as part of the Black Duck Software acquisition where he worked to bring integrated security scanning technology to Red Hat OpenShift and the Kubernetes container orchestration platforms. As a security strategist, Tim applies his skills in distributed systems engineering, mission critical engineering, performance monitoring, large-scale data center operations, and global data privacy regulations to customer problems. He takes the lessons learned from those activities and delivers talks globally at well-known events such as RSA, Black Hat, Open Source Summit, KubeCon, OSCON, DevSecCon, DevOpsCon, Red Hat Summit, and Interop. Tim is also an O'Reilly Media published author and has been covered in publications around the globe including USA Today, Fortune, NBC News, CNN, Forbes, Dark Reading, TEISS, InfoSecurity Magazine, and The Straits Times. Follow Tim at @TimInTech on Twitter and at mackeytim on LinkedIn.