Web Application Security Testing

DAST vs SAST

1

• Will Bechtel, Director, Product Management • January 26, 2012

Web Application Security Testing Static Application Security Testing (SAST)

2

• Manual Review of Source Code • Automated scanning of source code or binaries • Tests without runtime context (no specific user, etc) • Automated tools usually identify and prioritize

vulnerabilities − Range widely in capabilities (simple search to complex evals) − Prioritized by risk − Identify data flows − Provide ability to mark sources as trusted

Web Application Security Testing Dynamic Application Security Testing (DAST)

3

• Automated Scanning and Interactive Testing • Sends attack in request then evaluates response • Tests full application stack as deployed

− Can identify vulnerabilities in web app, host, web server, app server, db server, etc.

• Tests in context of a user • Tests in runtime context

− Includes context that may include authorization that is loaded from a db, etc

Web Application Security Testing SAST

4

• Advantages − Full visibility of security controls in the web application

Not fooled by filters, etc − Can identify logic related vulnerabilities not easily discovered by black box

testing − Accurate with human review – for the application itself – code doesn’t lie − Does not depend on testing potentially unlimited paths

• Drawbacks − High cost of human resources – even with a tool it is very time consuming − Not scalable – Can only thoroughly test a limited number of apps, limited

availability of trained resources − High false positive rate with automated tools − Unable to identify any weaknesses associated with runtime context

Most access control is loaded from a db – no way to evaluate priv escalation Can’t find issues outside code reviewed (web server, app server, etc) Can’t determine if deployed web app is vulnerable (other controls in place like WAF)

Web Application Security Testing Automated Testing

5

• Advantages − Able to identify weaknesses associated with runtime context

Most access control is loaded from a db – can evaluate priv escalation Can find issues outside web app code (web server, app server, etc) Can determine if deployed web app is vulnerable (other controls in place like WAF)

− More cost effective – testing takes less time typically than static analysis and validation.

− Lower false positive rate than SAST • Drawbacks

− Can’t identify logic related issues − Can’t identify weaknesses that are not in testing context − Does not have visibility into security controls in the web application

Can be fooled by filters, etc − Can’t identify some categories such as time bomb or back door inserted by

malicious developer − Can only test a limited number of paths

Web Application Security Testing SAST

6

Challenges • Scope

− What code is included? Third party libraries

− Environment Some tools require buildable environment which can be hard to setup

• Subject Matter Expertise − Best results if performed by someone intimate in development − Hard to gain understand of applications just to perform review

• Some languages are not well supported − PHP, other languages are not well supported – varies by tool

Web Application Security Testing Testing Method Attributes

SAST

7

DAST

• Identifies weaknesses including OWASP top 10

• Requires human to validate

• Identifies weaknesses outside the app code (web server, etc)

• Identifies weaknesses in user or runtime context

• Identifies Logic flaws • Definitive at the application level • Identifies risks not visible to

external testing (time bomb)

Web Application Security Testing DAST

8

• Situations in which DAST is most often used: − Source code for application is not available

May be able to identify issues scanning binary but how do you fix?

− Limited Resources Don’t need resources able to understand software code Testing usually focuses on most common use cases Usually takes less effort

− Limited attack vectors Code is known to be written with strong review and change control

procedures

Web Application Security Testing SAST

9

• Situations in which SAST is most often used: − Web application is a product

Vulnerable products = loss of brand reputation Identification of vulnerability by users is too late

− Source code and expertise is available Best when developers are involved in review Best when integrated into SDLC

− Insider Threat Code may not have been developed under strong review and release

controls or may have been acquired in merger, etc.

Web Application Security Testing Conclusions

10

• Both SAST and DAST testing have important roles • Generalizations (will always have exceptions):

− SAST = more definitive identification at app level/more cost − DAST = better identification full solution/less cost

• DAST can be used to ensure applications are tested on a regular basis and can be a first line of defense

• SAST testing can be used when additional depth of testing is required.

Web Application Security Testing

11

Questions

Web Application Security Testing Resources

12

• SAST – list of static analysis tools − http://en.wikipedia.org/wiki/List_of_tools_for_static_code_anal

ysis

• DAST – list of dynamic testing tools − http://projects.webappsec.org/w/page/13246988/Web%20Application%20Sec

urity%20Scanner%20List

Thank You

Will Bechtel wbechtel@qualys.com

http://www.qualys.com/products/qg_suite/was/