Wallarm Launches Framework for Automatic Security Testing

Source – eweek.com

Cybersecurity startup Wallarm announced the launch of its Framework for Automatic Security Testing (FAST) technology on April 26, providing organizations with a new approach to scan applications for potential security risks.

The FAST product enables automated security test generation that can be used to look for both known and unknown vulnerabilities in running code. With FAST, Wallarm claims that is can also find anomalies in application responses that could potentially lead to risk as well.

“FAST is not language specific, it can be used to test apps and micro-services written in any language,” Renata Budko, Chief Marketing Officer for Wallarm, told eWEEK. “It constructs tests as http requests and applies fuzzing to the body and where applicable, the header of the request.”

Wallarm was founded in 2013 and has raised a total of $2.9 million to date. Budko said that until now Wallarm has been selling an application security platform to protect websites and APIs in the runtime. She added that the Wallarm Application Security Platform includes real time attack mitigation, bot protection, Web Application Firewall (WAF) and a dynamic application security testing (DAST) capability for vulnerability detection.

In contrast, Budko said that FAST is a new product that targets the application security testing (AST) market. Application security testing can take many different forms, including both static application security testing (SAST), DAST,  as well as Interactive Application Security Testing (IAST), which is where the new Wallarm FAST tool fits in.

“FAST is not a SAST, it is more akin to an IAST tool,” Budko said. “The idea is that it uses QA (quality assurance) functional tests and a fuzzer as an inducer and analyzes the responses to detect vulnerabilities and anomalies.”

Fuzzing is a commonly used security testing technique where garbage inputs are injected into an application to see how the application will behave. Budko said that the fuzzing technology built into FAST was built by Wallarm and is not based on any open-source projects.

“The fuzzer is governed by the policy which specifies what parameters of the payload or the header to fuzz, and how to tune up the fuzzing so that generated payloads are more relevant,” Budko explained.

DevOps

In the emerging software development and deployment paradigm commonly referred to as “DevOps”, integrating security testing has become increasingly common. Budko said that FAST is fully instrumented with APIs to be integrated into the DevOps pipeline.

“Test generation, policies, running tests and retrieving results are all API enabled,” Budko said. “We expect a typical use case to be a FAST test run to be launched from Jenkins as a part of a build acceptance criteria sequence.”

Jenkins is a popular open-source continuous integration/continous development (CI/CD) automation server that is widely used in DevOps deployments. Another technology that is commonly found in use with developers is the Selenium software testing framework for web applications. Budko said that FAST and Selenium are complimentary.

“Selenium is very popular for automating http tests for SPAs (single page applications),” Budko. “These automated functional tests make ideal baselines for FAST to apply it’s multiplier and generate more security tests.

The FAST technology is deployed as a container and requires a Docker container engine to run. Budko said that currently there are no specific FAST integrations for public cloud providers, though she noted that the original Wallarm platform is certified on both AWS and Google Cloud Platform.

Looking forward, Budko said that Wallarm is looking forward to expand FAST into a product line with additional products targeting larger development teams.