/sep 23, 2014

A Guide to Static Testing of Web Apps: No Running Required

By Shawn Drew

In the modern, fast-paced world of Agile software development, where an organization may have new or updated web apps released every few days or weeks, application security scans are sometimes delayed until the last part of the quality assurance (QA) phase. However, even if developers are versed in secure architectural design and threat modeling, security issues will sneak through the development phase — which is why static application security testing (SAST) should be used even at the earliest phase of the Software Development Life Cycle (SDLC).

SAST in a Nutshell

Static testing, which is often called "white-box testing" or "inside-out testing," is designed to find issues other types of scans often miss. It analyzes the source code, binaries or object code to find vulnerabilities without the application actually running. SAST begins with a modeler, which scans the code to find out how data moves through an application and builds a model of that application for testing purposes.

The SAST software then scans the model using query patterns associated with known security issues to see if the application handles these requests correctly. Through this process, SAST will often find issues like buffer overflows and memory leaks, along with more complicated vulnerabilities like SQL injection issues and cross-site scripting issues.

The Benefits of SAST

The model that SAST creates provides a comprehensive view of an application and all its data paths, offering insight into possible vulnerabilities that dynamic testing conducted on a running application might overlook. Since SAST doesn't require a running application, it can be performed much earlier in the development life cycle than other forms of testing. Not only will this inform developers of necessary changes to the way they code, but it also locates issues at a time when it is much more economical to fix them — as opposed to once the application is in the QA phase or already live.

SAST solutions that can investigate binaries add another layer of protection. These solutions not only check a developer's code for issues, but also investigate third-party components and libraries without requiring access to their source code. Given the proliferation of third-party and open-source code in modern applications, binary SAST should soon become a requirement for any enterprise concerned about application security. In fact, FS-ISAC, a financial services industry group, has already recommended binary static testing as one of three critical controls for limiting the risk posed by third-party software.

Part of an Overall Security Solution

As many benefits as SAST can provide, it's still just one part of an overall security solution when developing web applications. SAST excels in the early stages of development, and even moreso in conjunction with dynamic application security testing (DAST) during the QA phase. Additionally, any mission-critical apps should go through a manual penetration test during this stage. Both DAST and manual penetration will provide insight into how actual cybercriminals will interact with an application. By combining SAST, DAST and manual testing under one umbrella, enterprises can get a holistic view of an application's security strength, and IT can get one comprehensive dashboard to easily review and prioritize the issues each test finds. This combination will help reduce false negatives, which waste precious time and money to track down and write off.

The best option for delivering this type of security solution is the cloud. It allows you to view comprehensive results of your binary code to spot vulnerabilities up front in your development process, scales quickly without intense infrastructure requirements, and provides easy updates to your testing engine as new vulnerabilities are identified- all while integrating into your SDLC.

In a nutshell, when it comes to software security, cloud-based solutions are your answer for collaborating, sharing functionality and information, reporting and ensuring consistent application of a policy — without disrupting your development environment or putting a strain on your infrastructure.

Related Posts

By Shawn Drew

Shawn Drew has spent the last five years helping businesses understand the difference that technology can make for their internal processes, external connections, and bottom line. He specializes in all things cloud computing and security, and hopes to impart some knowledge on how the two can be combined to enhance the inherent benefits of each. His work has been published on the websites and blogs of a number of technology industry leaders, such as IBM, Veracode and Boundary.