Application security testing in an age of continuous development
Web application security testing techniques have changed significantly since waterfall development methodologies lost popularity and the advantages of an agile approach to software development started to hold sway. Testing has had to become as iterative as the continuous development & integration methods of modern app development. In environments with multiple web properties, the automation of such testing is now a commonplace necessity.
Sure, manual testing still exists — and there are excellent arguments for engineers to pore through lines of code manually. However, the increasing need for security combines with pressure on DevOps teams to get applications into production quickly to produce situations for testers that are at worst untenable and, at best, potentially dangerous for the organization’s assets.
There is continuing friction between SecOps and DevOps, with developers feeling held back by security teams and security professionals feeling pressured to rein in developer activities to keep the larger enterprise infrastructure safe.
There have been many thousands of words written about this dichotomy in organizations that thrive and survive on getting web apps to market (many of those words appearing on this very site). Most of them urge businesses to bake best security practices into every stage of app development. That’s a fine aim, but many individuals and departments still feel under massive pressure to hit targets: the temptation is to either circumvent security to some degree (for DevOps) or prevent the rapid progress of applications to production (for SecOps).
Whatever the circumstances, there is always some kind of compromise across both fronts — unless of course web applications can be tested effectively, promptly, and without significant resource drain. Here is where the AST models come into play, typically comprising today of dynamic and static application security testing processes (DAST and SAST).
Both have advantages and disadvantages, mainly around the numbers of false positives raised by automated testing routines, the extra resource overhead required in terms of engineer hours or processing power, and the cost and effort required to deploy an effective solution.
Then there’s the problem of CI/CD: the testing processes have to be continuous at all stages of development, from initial concept and wireframing right through production and version updates.
Here, a new generation of interactive application security testing (IAST) platforms helps teams both hit DevOps targets and address the pressing concerns of the security team. Netsparker by Invicti combines DAST and IAST to provide automated security testing that overcomes the traditional shortcomings of standalone DAST or SAST tools. The combined approach results in applications being crawled 100%, verifiable proof that risks are real, and pinpointed references to the exact line of code or stack trace of the vulnerability — precisely the type of information that developers need to address issues quickly and effectively.
This approach means vulnerabilities are quickly found and reported complete with remediation guidelines and sample attack payloads that could be used by real-life attackers, so there is as little impediment to development progress as possible. Netsparker is the objective voice that shows and proves which issues constitute a real risk and that must be addressed immediately. Apps can continue through their development cycles, and true security concerns can be sent directly to be fixed as part of the developers’ daily workflows in the tools they already use.
The platform’s configurable multiple scanning agents act as distributed instances to maximize test coverage but also minimize resource utilization. Each scanning agent reports vulnerabilities centrally with concrete proof that the issue is real and exploitable. Objectivity from this canonical source promotes collaboration between developers and security teams, even in very complex web portfolios that are under constant development and testing. Interdependencies and shared libraries, hidden files, and application-level exploits are proactively probed, as well as cross-site scripting (XSS), SQL injection, and other vulnerabilities that account for the bulk of cybersecurity incidents.
It’s worth noting that the Netsparker platform doesn’t require a clean slate or a lengthy deployment process. Security and development engineers can continue to use their existing tool stacks, so investment in these remains valid and their lifespan is extended, promoting better ROI over time. Netsparker integrates with existing ticketing systems, Git* platforms, messaging and communication software, and even works alongside pen test tools like Metasploit.
It offers team management and vulnerability management features as a platform in its own right: it’s a central reference point for all security testing on just about any web application, old or new.
In a further article here on Tech HQ, we’ll be taking a more in-depth look at Netsparker’s combined DAST and IAST approach to application security. Web applications continue to be excellent ways for organizations to interact with partners, suppliers, customers, and internal stakeholders. The latest advances in interactive application security testing help to ensure that both legacy and new instances are kept as secure as possible in the face of emerging threats.
You can request a demo of Netsparker by Invicti to speak to a technical resource about your organization’s specific testing needs.