Interactive Application Security Testing (IAST) Tools

The security industry started on security testing automation journey almost a decade ago! First there were Static Analysis Security Testing (SAST) Tools and then there were Dynamic Analysis Security Testing (DAST) tools. Neither tools lived up to the expectations for various reasons, but primarily due to the large number of False Positives in SAST tools and difficulty automating DAST tools that require manual intervention needed to train the tool and triage results. Contrast Security was one of the early pioneers in a new space called Interactive Application Security Testing (IAST) to fill this gap! In this post we will discuss IAST tools and what they bring to the table.

Effectiveness of IAST Tools Over SAST/DAST Tools

IAST tools look to combine the best of what SAST tools and DAST tools offer, but with out the baggage these tools bring with them. The basic principle of IAST tools is that you configure your application with an IAST agent that can track the request from its “source” to the “sink” and determine is there is a vulnerability in the path due to a missing Sanitizer or an Encoder.

The agent is configured at the Runtime and has better context of the execution than a SAST tool and this allows IAST to provide better results with lower false positives compared to a SAST tool. Unlike DAST tools ISAT tools do not drive the application, but depend upon automated functional test cases or manual testing to drive the application and the agent runs in the background identifying vulnerabilities in the execution path. However, this is also a drawback of the IAST tools, in the sense that if you do not have sufficient test coverage either through automated testing or manual testing the effectiveness of IAST would be limited as the agent can only see the code that is executed. The agent does some analysis at startup, but the results you get there are comparable to what SAST tool provides. So, if you are planning to get an IAST tool, make sure that you have sufficient test coverage for your application either through automated or manual functional testing.

Does IAST eliminate manual pen testing?

This is a frequently asked question from senior management when you recommend big investment on any security tool including IAST. Although IAST offers significant improvements over traditional SAST or DAST tools, the tooling is not there at the moment to completely eliminate manual pen testing. Yes, the tools are much better now at identifying certain category of application security vulnerabilities such as XSS vulns, Injection vulns, Open Source Software vulns etc., but the tools are not able to identify vulnerabilities in business logic, back doors in the code, privilege escalation type of attacks etc. The way to look at the tools is to help you catch low hanging fruit so that you can free up pen testers to focus on more complex attacks on your applications! You need to augment security testing tools with robust code reviews and focused pen testing to fortify your application security!

Commercial IAST Tools

  1. Contrast Security is the leader in this space! Contrast has been on this journey longer than others and have improved their capabilities, language/framework coverage over the years. Contrast Security seems to check off on most of the capabilities you look for in a security testing tool! Contrast does a good job of identifying vulns in the Open Source Software (OSS) you use in your application. In addition to identifying OSS vulns, the tool would identify if you are using that component in your application. About 80% of the Open Source Software you include in your application is dead weight and is never used! So, having tool that would help you identify if you are using a vulnerable OSS component is a big win for prioritizing fixes for your OSS components!
  2. Seeker from Synposys is another IAST tool for you to consider! Seeker differentiates itself in this space by not only identifying a vulnerability, but also actively tries to exploit the vulnerability thus eliminating any false positives reported by the tool. The advantage with Seeker is that it is part of Synopsys that offers broad range of security testing tools: Coverity for SAST, BlackDuck for OSS scanning, Seeker for IAST. As Synopsys integrates these products and matures the platform, you will have single pane of glass for vulnerabilities reported across SAST, DAST, OSS, and IAST tools. Isn’t that an appealing proposition?
  3. Veracode and Checkmarx are on the early stages of building out IAST capabilities on their platforms. Watch out for updates from these vendors. The competition will only make the products better and will be win-win for the Consumers!

Trust, but verify your IAST Tools!

IAST is a Runtime tool, so you must verify that the agent is compatible for the languages, frameworks and libraries that you use including the specific versions that you use. Unlike a SAST tool where you may get partial coverage depending on how much code you throw at the SAST tool, IAST tool may be “all” or “nothing” if the tool is not able to detect “sources” and “sinks” in the versions of languages/frameworks that you use. So, it is imperative to evaluate the tool within your environment!

In Conclusion

If you budget for only one testing tool Test, I would strongly encourage you to consider IAST! But also be aware of the pitfalls of IAST:

  • Verify the tools in your enviroment for the languages/frameworks and the versions you use
  • Make sure you have effective test coverage in your organization via automated or manual pen testing. IAST is only as good as the test coverage!

 

Open Source Software (OSS) – Do you know what you are vulnerable to?

Do you know what percent of software that runs in your application is Open Source libraries?

Do you know if your application is vulnerable because you are using a version of OSS library that is old and has known vulnerabilities?

Are you still writing custom software for your plumbing code instead of using OSS libraries?

If you answered “yes” to any of these questions, you have some work to do, my friend !

If you answered “yes” to the last question, you must be either working for Microsoft or wasting your organizations resources on something that you could get for free, and probably better software than what you could write yourself.

In any case, a large number of organizations: (a) use OSS libraries in their custom software development;  (b) have OSS libraries in their environment from commercial products they use

You can take the time to query CVE Database for the OSS libraries that are in your environment. This is obviously tedious with 1000’s of libraries and various versions that you need to keep track.

There are commercial vendors out there who offer products that solve this problem for a fee. Some of the well known vendors in this space are:

  1. Nexus Lifecycle from Sonatype
  2. Blackduck

OWASP has a free version “OWASP Dependency Track Project

Although the free version has limited capabilities, it is a pretty good start if you are constrained by resources. However, the commercial products provide extensive coverage of the OSS components you use in your organization across Licence management, Vulnerabilities and Architecture.

The capabilities provided by commercial tools and make case for your dollars are listed below:

  1. Scan for OSS components with know vulnerabilities during development or build pipeline with IDE Plugins and CI/CD integration plugins
  2. Set policies to fail builds in CI/CD if OSS components fail compliance against enterprise policies
  3. The products provide coverage for Licence compliance, Vulnerability checks, and compliance with Architecture policies
  4. The products allow automation of your OSS procurement process by blocking download of OSS components with know vulnerabilities and fail compliance against set policies
  5. Dashboard of your OSS vulnerability posture
  6. Integration with Bug tracking tools for resolution
  7. Real time updates if your apps are using OSS components that have zero day vulnerabilities

If your organization is using Sonatype products such as SonarQube, Nexus Pro, etc., OSS Scanning products from Sonatype: Nexus Lifecycle and Nexus Firewall provide efficiency of integration in to the echo system. The Developers can have better user experience with tool set and that is more than half the battle getting developers to consume findings from Security products.

Please share if your organization is using any of these products or others to keep a health check on the OSS libraries that you have exposure to in your organization.