When SAST, DAST, IAST etc. are Just Not Enough
Once developers find tools that work for them, it is hard to make a change. SAST and other legacy Application Security tools fall into the area of being solid tools that work. In the last couple of years the threat landscape has evolved and new vulnerabilities have emerged. SAST, DAST, and other Application Security tools may be effective within their own realm, however in the context of how software is developed today, they do not provide sufficient visibility into hard coded secrets and other code security risks.
These vulnerabilities in code are contributing to it becoming the largest cyberattack surface. Software supply chains, which are no longer monolithic entities, are made up of several disparate software components from multiple sources.
Recent large and very visible security breach incidents have been attributed to software supply chain vulnerabilities
With the constant need to accelerate the pace of software deployment, security for applications has become more complex as the use of open source software and code from third-party repositories becomes more prevalent. With this trend growing, developers are now taking a more defined role in the deployment of application security.
The Ground Underneath is Shifting – Security Needs to Shift Left
Development and security teams together had attempted to respond by embracing both static and dynamic testing tools to address code security. However, there are several areas where these tools fall short of providing complete and effective protection.
Several trends are driving the need for a more effective code security:
- Increased open source adoption
- Code can reside in multiple Git and other repositories with no visibility into the chain of custody
- Prior versions of the code sitting in repositories can be exploited even though the deployed version has been secured.
- Late resolution of vulnerabilities negatively impacts automated CI/CD and high velocity pipelines
- Attackers are becoming more adept at exploiting secrets in code to launch full-blown and crippling cyberattacks.
Current generation application security tools in use today are not effective at identifying and remediating most, if not all these issues. What follows is a description of those tools and why developers need to augment their code testing practices with new security solutions that have emerged to address the gaps not covered by traditional application security tools.
Understanding Static, Dynamic Test Tools – Where are They Falling Short
Static and Dynamic Code Testing are used for testing code to seek out potential areas of weakness that translate into security vulnerabilities. This is really important as other threat vectors are being mitigated, cyber attackers are transitioning to code as being one of the most prevalent threat vectors. There are core differences in how these two forms of security testing work and the conditions in which they are deployed.
Static Application Security Testing (SAST) is a security tool which scans an application’s code early in the DevOps process. This could include source code, executables or other similar forms. SAST identifies security vulnerabilities in the code and is widely used by developers. SAST does not require the application to be running, it analyzes the source code or binaries without running the application.
The individual testing the code usually has access to the underlying code infrastructure and design, which is why it is also known as the inside-out approach.
SAST reduces security risks in applications by providing immediate feedback to developers on issues introduced into code during development. It helps educate developers about security while they work, providing them with real-time access to recommendations and line-of-code navigation, which allows for faster vulnerability discovery and collaborative auditing. This enables developers to create more code that is less vulnerable to compromise, which leads to a more secure application.
In keeping with Shift-Left principles, SAST can help find issues earlier in the development lifecycle bringing visibility to security issues earlier in the development lifecycle. This makes it easier to remediate the issues.
Drawbacks: SAST cannot uncover run-time security vulnerabilities. This limitation means it is effective for only part of the job.
Dynamic Application Security Testing (DAST) is the process of exercising an application from the outside to check for security vulnerabilities. This is done by scanning the application in the running environment. While DAST does not rely on source code or executables, it does require a running application to analyze. One key advantage is that DAST can find run-time vulnerabilities, however it is usually limited to externally facing applications like web applications and other web services.
Drawbacks: One of the biggest drawbacks for DAST is that it finds vulnerabilities later in the software development life cycle when they are more costly and time consuming to fix. DAST does not have any visibility into code. This means that without SAST, it is difficult for developers to pinpoint areas where the problems are occurring.
Interactive Application Security Testing (IAST) came about as the need to link together security solutions across the stages of CI/CD or release orchestration. It seemed like the perfect complement. The approach is to instrument the runtime environment with an IAST testing agent that observes attacks and impact to operations to identify vulnerabilities.
Drawbacks: One of the biggest drawbacks for IAST is it tests functionality only at certain checkpoints. These testing triggers are defined by QA or Dev engineers. This makes it significantly faster however it does not provide the code coverage that SAST does.
Dev and Security Teams Need More, But Not Everything Needs to be Replaced
Developers today recognize the impact of security breaches to the organization. They are doing their part to ensure that the code developed and deployed not only delivers value to the organization, but also remains secure and protected.
Security-conscious developers in leading organizations have been working hand in hand with Security to close key security gaps that exist even after deploying security application tools. The current shift left thinking encourages security to be addressed early in the development cycle. It is generally accepted that security issues uncovered in the deployment phase, or even worse, post-deployment, can be very expensive to the organization.
BluBracket is a Great Complement to SAST and other Tools
BluBracket is the most comprehensive code security solution that enables developers to effectively identify and remediate risks within their software development environment across code repositories, infrastructure as code and cloud environments. With BluBracket, organizations can shift left by enabling developers to address security at the very start of the development lifecycle.
While some SAST tools also try to identify secrets in code, BluBracket delivers a solution that is more comprehensive and effective at detecting a whole series of risks, not just secrets in code.
Bracket Capabilities Beyond SAST Tools
|Scan Code Inside and Out||BluBracket scans code within and outside the enterprise to highlight code risks.|
|Continuous Monitoring||Unlike point-in-time testing, BluBracket continuously monitors code to make sure code risks are addressed prior to merge.|
|CI/CD coverage across entire pipeline||Continuous monitoring across CI/CD pipelines including monitoring of vulnerabilities for each commit in action. Support for for various CI/CD platforms including Azure, GitHub Actions, Jenkins, etc|
|Detect Risks Pre-Commit||BluBracket helps prevent introduction of new code risks with protection even extending to the developer’s workstation.|
|Quality of the Results||SAST tools have a high false positive rate. BluBracket’s risk-led prioritization allows developers to focus on mitigating key issues first.|
|Prioritization of vulnerabilities||BluBracket risk score helps developers and security prioritize risks across different repos and code in the organization.|
|Integrate with Multiple Git Servers||Manage security across all the Git vendors (GitHub, GitLab and BitBucket, etc.) from one place with support for multiple orgs and projects, both on premise and in the cloud.|
|Full history scan||BluBracket delivers real-time monitoring of new commits as well as risks in the entire commit history|
|Integrate with the rest of your organization||BluBracket alerts can be routed to ServiceNow, PagerDuty, Jira, Splunk, Slack, MS Teams and many more applications.|
|BluBracket is Enterprise Ready||BluBracket supports all major git providers, large development teams/repos/commits. Brings Developer and Security Teams together.|
BluBracket’s Seven Tenets for Effective Code Security
BluBracket provides the most effective code security solution to secure developer environments. Developers can identify and mitigate key risks in code throughout the entire CI/CD pipeline while maintaining speed and agility.
BluBracket’s coverage of risk includes:
Secrets in Code: secrets in code exist as artifacts that an app uses to connect to an external service, account, or application. Secrets used by developers include API keys; encryption keys; OAuth tokens; certificates; and passwords. For secrets in code, BluBracket alerts developers of risks directly within the development workflow and provides a means to eliminate the risk, while ensuring developers and AppSec engineers alike are not overwhelmed by false positives.
Personally Identifiable Information (PII): organizations have various policies governing the use, storage, and disposition of PII. Some examples of PII are social security numbers, credit card numbers, date of birth etc. In certain industries there are strong regulatory mandates with huge penalties for failure to protect this data. BluBracket detects such data prior to it entering the codebase.
Infrastructure as Code (IaC): helps with the managing and provisioning of compute infrastructure and cloud services using (software) configuration files. Misconfigurations in IaC scripts can lead to serious disruptions and expose security attack surfaces. BluBracket can identify misconfigurations in IaC prior to deployment.
Access and Identity: as code is cloned and proliferated via Git repositories, it becomes difficult to differentiate between the owners of the code, the collaborators, and intruders. BluBracket allows developers and AppSec teams to discover and enforce a chain of custody at all times.
Code Leaks: Developers sometimes unknowingly place company IP at risk when they share code sections or commits on public Git repositories. BluBracket regularly scans public repositories for code fingerprints that may have leaked into the extended universe.
Compliance with Git Configuration Rules: Git misconfigurations can result from insecure default configurations, incomplete or un-patched applications etc. BluBracket looks across all Git servers, whether cloud or on-premise, to detect too loosely configured or misconfigured options which could expose attack surfaces.
Identifying Non-Inclusive Language: In keeping with current times and developers’ desires to meet socially correct norms by removing insensitive racial or gender bias in words and references that are used in code, BluBracket scans to identify such terms and delivers options to remediate them directly within the development workflow.