[OPD 2019] AST Platform and the importance of multi-layered application security testing
Download as PPTX, PDF0 likes226 views
This document discusses the importance of multi-layered application security testing and summarizes several application security testing techniques. It introduces static application security testing (SAST), interactive application security testing (IAST), software composition analysis (SCA), and dynamic application security testing (DAST). For each technique, it provides a brief description and highlights of their advantages and disadvantages. It emphasizes that using multiple techniques together can provide more comprehensive security testing than any single technique alone.
![[OPD 2019] AST Platform and the importance of multi-layered application security testing](https://image.slidesharecdn.com/uriaankorionastplatformandtheimportanceofmultilayeredapplicationsecuritytesting-191021171736/85/OPD-2019-AST-Platform-and-the-importance-of-multi-layered-application-security-testing-15-320.jpg)
[OPD 2019] AST Platform and the importance of multi-layered application security testing
- 1. AST Platform And the importance of multi layered application security testing
- 2. About Me Uria Ankorion Appsec solutions expert @ Checkmarx • Strong believer in spreading security awareness • Software developer at heart
- 3. CSC 18 Application Security Application Security and its importance
- 5. So which tool should I use?..(hint: as many as you can)
- 6. Application Security Technologies SAST – Static Application Security Testing IAST – Interactive Application Security Testing SCA/OSA – Software Composition Analysis DAST – Dynamic Application Security Testing RASP – Runtime Application Self Protection WAF – Web Application Firewall
- 7. Static Application Security Testing (SAST)
- 8. Interactive Application Security Testing (IAST) Runtime App Server Frameworks Libraries Custom Code IAST Agent Application Under Test Testing Framework IAST server IAST Dashboard 1 Monitoring of Application Under Test 2 Event-Collection during Testing 3 Security-Queries Execution 4 Pushing Vulnerabilities to the Dashboard
- 9. Identify OS libraries metadata, vulnerabilities, licenses 3 Send list of potential OS dependencies 2 Generate report 4 Scan project sources and run dependency resolution 1 Customer's libraries (source code + binary files) Customer’s open source libraries Repository of Open Source libraries Cloud Service Software Composition Anaysis (SCA aka OSA)
- 10. Dynamic Application Security Testing (DAST)
- 11. AppSec Technique Advantages Disadvantages SAST • Can be used after 1st line of code is written – max Shift Left • Makes the vulnerability fixing easy by showing the problem in the source code • Produces fast results even for large applications • Can be easily integrated into the CI process • Cannot see all flows, e.g. because of user data dependencies • Requires continuous development for new language/framework support • May require fine tuning to accommodate for custom sanitisers and services DAST • Provides visual confirmation for vulnerabilities • Doesn’t require access to source code to produce results • Requires a functional application • Can only detect reflected vulnerabilities • Takes a lot of time to generate and execute all inputs • Is difficult to integration into the CI process • Shows there is a problem, doesn’t tell where it is in the code IAST • Provides immediate feedback when suspected vulnerabilities are found • Doesn’t require access to source code to produce results • Can be integrated into the CI process • Requires a functional application • Requires existing (preferably automated and comprehensive) functional testing suite • Highly dependent on the application technology
Editor's Notes
- #14: Phase 5: optionally - SDLC-external elements added to explain that they are not part of AST platform but how they come into play