There are 5 main AppSec methodologies in use today.
Penetration (Pen) Testing – Penetration testing is a “hands on” methodology that combines manual and automatic approaches. As its name suggests, this testing technique basically involves software security experts trying to exploit the application code with dedicated hacking tools. The results are eventually sent out to the organization’s security team, which then passes it on to the developers for remediation.
Manual Code Review – As the name suggests, manual code review involves the intervention of security experts in the AppSec process. These experts use their experience and dedicated tools to conduct a thorough analysis of the application code. While being arguably the slowest of the lot, this testing does help in checking the architecture, the I/O paths, the authorization logic validation and other privacy issues that can creep up.
Manual code reviewing has evolved over the years, with many organizations adopting a “peer review” policy, which helps developers get involved directly in the security process. With this system in place, developers examine and scrutinize their colleagues’ work, creating an on-the-go remediation environment within the organization. This helps fix vulnerabilities early, saving the organization’s resources and reducing post-release maintenance costs.
Web Application Firewall (WAF) – WAFs are security barriers placed in front of the web application for real-time inspection of user requests. This involves the monitoring of website traffic with the option of blocking it when malicious activity is detected, as required by the specific organization. When properly configured, WAFs are capable of locating code injections (SQL/LDAP injections, XSS, etc) and other vulnerabilities. WAFs reside on the communication layer and are intended to detect Server side vulnerabilities and block them as they appear. However a WAF cannot remediate a detected vulnerability but only prevent a per case exploit of the vulnerability.
Dynamic Application Security Testing (DAST) – Commonly referred to as Black Box Testing, this popular security tool involves the sending of requests and analyzing the responses received by the application. Based on the feedback received, the DAST solution notifies the user about the vulnerabilities detected. DAST solutions don’t require the source code to work, but do need a build to be reached prior to testing.
DAST solutions are not able to pin-point the vulnerable lines of code (LOC) or vulnerable junctions, something that adds complexity the remediation process. Finding the vulnerable LOCs can become a challenging task for the organizations and may call for the intervention of dedicated security staff. With Agile development adoption, organizations cannot afford delay’s which are caused when vulnerabilities are detected too late in the software development life cycle.
Static Application Security Testing (SAST) – SAST Allows early code vulnerability detection and mitigation by becoming a fully integrated and seamless part of the development life cycle. SAST solutions address the application’s security at its core by analyzing the code, its data flows and coding mistakes which may expose the application to risks. Modern SAST solutions can be effectively implemented in Agile, DevOps and CICD setups. Static analysis allows organizations to handle security vulnerabilities as they address functionality bugs within the development process.