As the enterprise network has become more secure, attackers have turned their attention to the application layer, which, according to Gartner, now contains 90 percent of all vulnerabilities. To protect the enterprise, security administrators must employ a detailed software testing process when developing or buying software.
How to test software
There are several different types of software testing processes. At a high level, software testing processes can be categorized as either manual or automated. Further, automated testing can be either dynamic or static. Most security experts agree that a comprehensive security software testing process encompasses all three testing processes — static, dynamic and manual.
Automated software testing
In automated software testing, software tools execute tests on a software application pre-production. Automated software security testing includes static and dynamic testing.
Static application security testing (SAST)
Static application security testing (SAST) is a testing process that looks at the application from the inside out. This test process is performed without executing the program, but rather by examining the source code, byte code or application binaries for conditions indicative of a security vulnerability.
In the static test process, the application data and control paths are modelled and then analyzed for security weaknesses. Static analysis is a test of the internal structure or workings of the application, rather than functional testing.
Dynamic application security testing (DAST)
Dynamic analysis, or functional testing, analyzes the dynamic behavior of code.
The dynamic test process examines applications in their running state, during operation or testing phases. It simulates attacks against a web application and analyzes the application’s reactions, determining whether it is vulnerable.
Dynamic application security testing (DAST) looks at the application from the outside in – by examining it in its running state and trying to manipulate it in unexpected ways in order to discover security vulnerabilities.
Manual software testing
In manual penetration testing (MPT), a security consultant (or pen tester) manually checks an application for security vulnerabilities, typically with no visibility into the inner workings of the application.
This type of test process delivers a very low false-positive rate, and is a comprehensive method of functional testing because human testers can apply logic and reasoning. However, this software testing process also does not scale, delivers variable quality and is dependent on environmental factors.
Veracode’s software testing solution
Veracode’s software testing solution combines a variety of software testing tools into one platform.
For optimum accuracy in identifying application-layer threats, Veracode’s cloud-based platform combines multiple software testing processes, including:
Veracode’s patented binary SAST technology is a software testing process unique in the industry. This test process analyzes all code — including open source and third-party components — without requiring access to source code.
Binary SAST analyzes binary code to create a detailed model of the application’s data and control paths. The model is then searched for all paths through the application that represent a potential weakness.
For example, if a data path through the application originates from an HTTP Request and flows through the application without validation or sanitization to reach a database query, then this would represent a SQL Injection flaw.
Written by: Neil DuPaul