One thing that many organizations are lacking in the modern world is true application security. It would seem that most IT Security departments, including the one that I work in, focus heavily on networking and hardware security, but they let application security lack. This is a pretty big deal. I have read many different statistics arguing the importance for application security, mainly that a majority of attacks current day are occurring at the application level. Every study seems to say a different percentage, but all of them are above 50% and illustrate the point great.
According to Gartner, approximately 60% of organizations used some sort of DAST solution in 2012 and they expect the number to be up to 80% by 2017.
So just what is DAST? DAST, or dynamic application security testing, is essentially a tool set for finding and the remediation of vulnerabilities in a web-based application. Essentially, you open up a DAST tool and feed it a url to a website or a web service, this includes web-based applications. The tool will first crawl the site, much like a search engine, and index the entire site. Then it will use this information to build out a site map and learn how to move around the site, sometimes in ways the developer didn’t intend. After figuring out ways to traverse the site, the tool will spend the bulk of its time performing attacks against the site. This includes all of the major attack types: sql injection, cross site request forgery, cross site scripting, etc., and practically any other vulnerability you can think of.
As someone who lived a long time as a developer and having moved to IT Security, I can safely say that practically every developer I know does not code with security in mind. Devs generally use some sort of mandatory framework that is provided to them by their application architect and that is the extend of the security model. I would even go as far as to say that most devs I have met don’t even understand what a XSS (cross site scripting) vulnerability is and how to create or remediate it.
Along with scanning and testing, most of the major players in the market also offer several other toolsets. Most of these products will show you the vulnerability, where it is, how it produced the issues, and the altered HTML as a result of the attack. You can then click-through to learn more about the type of attack and essentially have a little app security wiki built right into the tool so that the devs and security team can learn more about the attack. Other common tools include encoders/decoders, sql injection tools, reporting, etc.
Currently, there seems to be three major players in the market. HP Fortify, IBM AppScan, and Veracode. Veracode has the advantage/disadvantage of being cloud based and you also have to wait for your results, but it’s also much cheaper. Currently, I am evaluating both HP and IBM. I will try to post an analysis after I have selected a product.
So, we know the problem as do most organizations, so why are only 60% of companies acting on this knowledge. The problem is really two-fold: programmers do not understand security and security analysts do not understand programming. Traditionally, security analysts generally come from a networking background, not a programming background, so there is a huge gap in knowledge. Really, an organization has to evolve to the point where they understand this importance and train one of the two on the opposite skill set. In my case, our organization realized this importance and hired a developer in IT Security.
That’s enough for now. That should give you a basic understanding of what DAST is and how it is used in organizations. If you would like to know more, feel free to drop a comment and I’ll do my best to answer. Sometime in the next couple of days, I’ll put up a post on SAST which is a complementary technology.