Posted by Taylor Armerding on Tuesday, July 31st, 2018
The need for web apps to be secure is demonstrated at least weekly, if not daily. At the end of June, just two of several examples were the U.K. branch of the ticket-selling giant Ticketmaster, breached because of vulnerable code on its payments page, and a collection of around 4,000 hotels that relied on booking software from the French company FastBooking. Attackers were able to steal the personal information of an unknown number of guests owing to vulnerabilities in the company’s web app.
Those events ought to be rare, and very likely would be, if developers were using the right software analysis tools to detect vulnerabilities before web apps were in production—when they could be fixed more easily and at much less expense.
While there are a variety of testing tools and techniques, each useful at different times and in different ways, one of the most effective is interactive application security testing (IAST), a technique that does its analysis from within applications and can identify vulnerabilities while the apps are running.
IAST has access to application code, runtime control and dataflow information, memory and stack trace information, HTTP requests and responses, and libraries, frameworks, and other components (via a software composition analysis tool).
And while there are a number of IAST tools on the market, not all of them are created equal. Seeker, an IAST tool from Synopsys Software Integrity Group, is, to borrow from George Orwell, “more equal than others.”
You can count the ways:
Compliance monitoring. A continuously updated dashboard shows applications’ compliance to the OWASP Top 10, PCI DSS v3.2, and SANS/CWE security standards. Black Duck Binary Analysis identifies vulnerabilities found in open source components, libraries, and frameworks, as well as license type information. It also shows compliance to various security standards in the dashboards displayed in the Seeker UI.
Low incidence of false positives. The last thing a security team needs or wants is a massive list of potential vulnerabilities that requires a lengthy, tedious manual review. Seeker uses “active verification,” which automatically validates vulnerabilities to find those that are actually exploitable while eliminating others. It cuts the rate of false positives from an industry average of 20% to near zero.
Early warning. Seeker finds runtime vulnerabilities during the test/QA stage, which allows security teams to focus their DAST (dynamic application security testing) and pen testing budgets on difficult corner-case vulnerabilities that require intensive manual human testing to identify and verify.
Integration. Seeker won’t slow you down. It works with virtually any type of manual or automated test. It provides web APIs for easy integration into standard build tools, custom enterprise tools, and dashboards to display analysis results and automate the installation of Seeker software. It fits seamlessly into CI/CD workflows, and it doesn’t require extensive configuration or tuning.
Automation. Seeker is the only IAST solution that provides active verification of results. It’s a bit like having a team of automated, virtual pen testers working 24-7 to identify common security vulnerabilities. No lunch breaks, no sick time, no vacations, and no overtime.
Hello, PCI DSS and GDPR. Seeker’s unique ability to track sensitive data enables security teams to identify sensitive data and ensure that it is handled securely and not stored in log files or databases with weak or no encryption. Tracking sensitive data can help you achieve compliance with the sections of PCI DSS that require data encryption, as well as other industry standards and regulations such as GDPR.
Support. Seeker is backed by a broad Synopsys portfolio of products and services, stability, and funding. If you need help, you will get it.
Get the latest AppSec news and trends sent directly to you.