Code scanning is an integral part of application security. Since BluBracket is considered to be the industry’s first comprehensive code security solution, there can be confusion over how code security relates to code scanning. Is it the same thing? Does BluBracket replace common SAST or DAST tools?
The answer is no. Code scanning tools are a necessary part of application security, but on their own don’t give security and devops teams the complete insight, control and protection of their source code, which includes developer and endpoint machine activity.
Collaborative coding with Git and open source, Infrastructure as Code and cloud-native development have all contributed to the need for comprehensive security for code. Not to mention the importance of code as intellectual property has risen greatly for most companies as software continues to “eat the world.”
And the threats continue to rise. According to Verizon’s 2020 Data Breach Investigation Report, 43% of attacks were on web applications, more than double the results from last year. The time for comprehensive code security is now, while robust code scanning tools are still an important piece of the toolbelt.
Code scanning 101
As OWASP defines it “Source code analysis tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws.” These tools build dependency trees, comparing them to known vulnerabilities.
SAST tools, oftentimes called white box testing, are used by developers on their uncompiled code to find potential vulnerabilities. SAST is an “inside-out” approach to security given it scans the code itself, and not a running application.
DAST tools are used later in the development process and are more akin to penetration testing. They run against compiled applications to see which vulnerabilities are actually exploitable. It’s an “outside in” approach.
Companies with robust application security requirements generally run both DAST and SAST tools. But increasingly, they are turning toward a complete code security environment to protect their code and data.
A new threat surface.
Code scanning tools don’t address many of the most common, and growing, code security issues today, including:
- Secrets, tokens and passwords inadvertently left in code by developers.
- Configuration errors in Git or cloud deployments that lead to unauthorized access.
- Code proliferation to unknown machines with little to no access controls or tracking of where the code is cloned.
- Webhooks and unauthorized application access that can provide a way-in for hackers.
- Accidental leakage of code from enterprise private repositories that can be used for ransomware or by competitors.
- Intentional theft of source code that can be used for ransomware or sold to competitors.
A complete code security program goes beyond application security basics like code scanning to include new threat surfaces, such as those in Git-based source code management systems. It should address developer behavior on both the server and endpoints, which includes their own personal machines they may have cloned code to. A comprehensive security suite should also address security concerns while not hindering developer velocity. If the tool isn’t built with the developer in mind and is too cumbersome, it won’t get used. Also be sure the tool fits into your CI/CD workflow so it’s directly integrated into the development workflow and not an afterthought.
If you’re interested in learning more about the Top Risks from Code, you can download our whitepaper.
OWASP is also a great resource to participate in and learn from. Their top ten list is required reading. And for companies looking to strengthen their company’s software security, the Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.
Code has grown more complex, collaborative and important to virtually every organization doing business today. Companies are increasingly realizing that a comprehensive code security solution is a fundamental step in their application security journey. Let us know if we can help.