Stop doing security the ‘right’ way

Problems of DAST

First of all, even though there are some “agile penetration testing” solutions out there via DAST tools in the CI pipelines, the manual DAST executed by pen-test experts provides higher confidence in findings. However, this is not an “agile” method considering these run once at the end of the testing phase just before deploying the application. Being a non-agile methodology, manual DAST comes with inherited risks: The later the issues are discovered, the slower and more expensive it is to fix them. As a result, deadlines are missed or even worse, security is compromised.

  • Vulnerabilities that are inherited from 3rd party components,
  • Business logic issues that can be misused for exploiting vulnerabilities,
  • Correct and centralised implementation of authorisation and authentication mechanisms,
  • Sensitive data leakage from logs, which people from the organisation have access to,
  • Inadequate logging and monitoring mechanisms that can be used for evidence in case of critical events,
  • and more insecure constructs in the system that are not directly exploitable today, but may become exploitable in the future.

Problems on culture

Furthermore, from our interactions with development teams we observe that the problem is even deeper, it is in their culture. A few common problems observed from an organisational culture perspective are:

  • Lack of ownership on security subjects,
  • Insufficient knowledge of common application security risks such as OWASP’s top 10,
  • Lack of collaboration between developers and Information Security teams by engaging the latter too late in the SDLC,
  • Copying from forums and other online sources such as stackoverflow, being full of insecure examples.

6 steps to “Security by Design”

The arrangement of steps starts by building awareness of security concepts, then defining standards and principles, followed by tools and processes that check their adherence, which eventually lead to the cultural shift of the organisation towards security by design.

  • Dynamic Application Security Testing (DAST) tools, which are tools that automatically perform black box tests in the deployed application. Regarding its frequency, such tools run once before the system goes live. Advantages and disadvantages are mentioned in the previous sections of this article.
  • Static Application Security Testing (SAST) tools, which are used to identify and report on security vulnerabilities in source code through static analysis. SAST can run during the development phase of the software with very high frequency, e.g. on each commit, providing very fast feedback to the developers. Examples of these vulnerabilities can be input validation and potential injection vulnerabilities, numerical errors, path traversals, exposure of sensitive data and more. The most significant disadvantages of SAST are: the fact that they need heavy customisation in order to perform the analysis and the vast number of false positives, which takes notable time to review and needs to be performed by a security expert.
  • Software composition analysis (SCA) tools that analyse the 3rd party components used by the application under development. As with SAST, SCA tools also can run on every commit for fast feedback. Developers, in order to avoid reinventing the wheel, reuse external components developed by other developers and published as open-source software. A recent example is the Log4Shell vulnerability in Log4j that affected 93% of enterprise cloud environments including large corporations and governments. SCA tools can be used to identify known vulnerabilities in those components, e.g. according to the NIST CVE database and if those components need to be patched or should be replaced.
  • And other hybrid methods like Interactive Application Security Testing (IAST).

--

--

code4thought is a technology company with a unique purpose: to render technology transparent for large scale software and AI-based systems.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
code4thought

code4thought

7 Followers

code4thought is a technology company with a unique purpose: to render technology transparent for large scale software and AI-based systems.