HYBRID ANALYSIS OF WEB APPLICATIONS UNCOVERS A GREATER ATTACK SURFACE
THE USE OF SOPHISTICATED, DYNAMIC WEB APPLICATIONS IN CONJUNCTION WITH CORPORATE WEBSITES HAS INCREASED EXPONENTIALLY OVER THE LAST DECADE.
As corporations rely on information technology more and more, cyber-attackers have targeted such IT infrastructures increasingly over the years, resulting in a rising frequency of data breaches.
In 2014 alone, 43 percent of businesses surveyed by the Ponemon Institute reported that they had experienced a data breach, a statistic that represents a 10 percent increase from the previous year.
Financially, this results in millions of dollars of lost revenue, hence businesses are seeing the need for comprehensive security assessments and audits in order to protect themselves - and their customers - from costly attacks on their web application data and infrastructure. There are a wide variety of possible security assessments, tools, and techniques that can be used to provide an in-depth overview of your web application's security posture.
Security assessments include dynamic penetration testing (black-box), static source code reviews (white-box), and a combination of both known as a hybrid analysis. A hybrid application penetration test can be used by your company to determine the entire attack surface of your web applications in order for you to adequately maintain complete information security.
THE INHERENT LIMITATIONS OF SAST AND DAST ARE COUNTERED BY USING BOTH
WE COMBINE DYNAMIC APPLICATION SECURITY TESTING (DAST) AND STATIC APPLICATION SECURITY TESTING (SAST) FOR GREATER COVERAGE
The attack surface of a web application equates with every entry point that an attacker can use to potentially gain access, whether it be internal, external, or other interfaces outside of the application. Cyber-criminals use different attack vectors to exploit vulnerabilities in an application associated with weaknesses in the web application.
Combined, these internal and external entry points represent the total attack surface. Dynamic Application Security Testing (DAST) is a set of security techniques and tools for analyzing the security posture of a web application during run-time to test the application for security vulnerabilities. This technique looks at the web application externally without knowledge of the source code.
This type of test is best used after the source code has been written and the implementation needs to be tested for any vulnerabilities. In addition to this, a special dynamic testing method, known as dynamic tainting analysis, specifically identifies input validation vulnerabilities in running applications.
Static Application Security Testing (SAST) looks at the application source code to deeply inspect each line for weak coding practices that could introduce fatal security holes that a cyber-attacker could take advantage of. Such weaknesses in code include backdoors, the use of weak encryption ciphers, code that could allow for buffer overflows, etc. SAST is best used by software engineers during the development life cycle in order to quickly identify any weaknesses in the source code before the web application is put into production.
The use of both security assessment systems results in a comprehensive, thorough security assessment that produces an in-depth overview of the security posture of your web applications from an external perspective and from an internal perspective.
This offers complete coverage of the total attack surface of your web applications from their static source code to their dynamic execution during run-time.
Each testing technique has its own particular disadvantages, but they are perfectly complimented by the advantages of the hybrid testing methodology. Implementation of a web application in conjunction with an external, third-party environment cannot be tested with a static review (SAST), which does not test the application during run-time.
The use of dynamic testing (DAST) identifies vulnerabilities external to the web application's code, and allows for testing the web app in conjunction with different interfaces, but does not identify hard-coded weaknesses and cannot identify the weakness in the source code directly.
Combining both security assessment methodologies offers a complete testing method called a Web Application Hybrid Analysis. With roughly 40 percent of web applications today rated as requiring improvement in terms of cyber-security, it is imperative that corporations take full advantage of the comprehensive coverage guaranteed by combining static application security testing (SAST) and dynamic application security testing (DAST), as seen in the use of a web application hybrid analysis.
THE POTENTIAL FALSE POSITIVES OF SAST ARE PRIORITIZED BY DAST IN A LIVE MODEL
False positives are vulnerabilities identified by tools when they do not represent security issues in actuality. Static application security testing tools may identify false positives in code as potential high-risk security vulnerabilities which dynamic application security testing tools are able to take into account when analyzing a running web application.
During the run-time analysis of your web applications, DAST tools prioritize potential security vulnerabilities found via SAST in order to differentiate between actual security vulnerabilities stemming from weaknesses in the source code versus the implementation of code that does not result in any security issues during run-time.
With this, only meaningful security issues are reported by the combined SAST and DAST suites to provide an accurate depiction of your web application's security posture.
THIS COMBINATION ALLOWS FOR A MORE RIGOROUS COVERAGE OF ALL ATTACK VECTORS
As data breaches only increase in frequency, security monitoring is quickly becoming compulsory as web application risks and threats quickly escalate. With potential cost per record ranging from $355 for the healthcare industry to $129 for retail, all industries are being greatly affected by data breaches.
It is imperative that businesses incorporate hybrid application security testing protocols into their security model to stay safe, secure, and impervious to the attacks of cyber-criminals.