Code is being developed and deployed at an ever increasing rate, which is great for business when you can turn ideas to reality quickly and scale them out to customers. First to market will always be key, but at what cost?
Preventing issues within code is quite well understood these days but unfortunately mistakes do happen and vulnerabilities do work their way into production. Compliance as code is now gaining traction and is the capability to automate the implementation, verification, remediation, monitoring and reporting of compliance status. The feedback loop is ever important. The object of this post is not to delve into the compliance as code process but to add to it.
We already understand WAF’s DAST & SAST but are these enough?
IAST – Interactive Application Security Testing
Automatic runtime security checking in CI/CD sound good? Basically it reports vulnerabilities in real-time which helps your CI/CD process stay on track without interruptions and delays. IAST tools can run either as part of automated functional integration/acceptance testing or as DAST scans. The power comes from IAST ability to trace calls, identify and record on potential vulnerabilities for common attack vectors where results can be automatically fed back to the development team to investigate.
Different to SAST and DAST – IAST works inside the application. It does not test the whole codebase. IAST can be useful during Penetration Testing to trace test paths an coverage, digging a little deeper within the code than just manually analysing it.
IAST benefits are really the speed it can churn out results as previously mentioned it’s real-time anlaysis. It promotes the use of existing test cases which again saves time and having to double up on work and IAST is particularly suited to a API’s and microservices. One caveat to all this though is the coverage, it really is only as good as your test cases, it passively watches code as it is executed. If your test cases don’t hit certain paths then IAST won’t be able to analyse, so it’s worth bearing this in mind.
RASP – Runtime Application Security/Self Protection
RASP is automatic runtime security protection in production, it can patch over public vulnerabilities and detect and block attacks by using information from inside the software. It does this by hijacking function calls, inspecting parameters to catch common attacks in real-time. It can be run in monitor or blocking mode and can help secure legacy apps. RASP is similar to a WAF, it offers a compensating controls and a defence-in-depth approach.
RASP can be integrated as a module or a framework, it can have runtime overheads and just like a WAF can unfortunately dish out some false positives.
SAST & DAST are now older technologies and the question remains are they the right tools for modern day web apps , especially in the agile DevOps world. SAST solutions are notorious for their amount of false positives and in an Agile environment who has time to trawl through 1000’s of these?
So IAST focuses on identifying vulnerabilities, performs all its analysis in real-time within the app. RASP protects against vulnerabilities again by working inside the app, it can control application execution and perform continuous security checks on itself. Being able to identify where to use these tools, the pro’s and con’s associated with both will certainly help achieve better application security.