Web Application Security Testing

DAST vs SAST

Will Bechtel, Director, Product Management January 26, 2012

Web Application Security Testing

Static Application Security Testing (SAST)
Manual Review of Source Code Automated scanning of source code or binaries Tests without runtime context (no specific user, etc) Automated tools usually identify and prioritize vulnerabilities
Range widely in capabilities (simple search to complex evals) Prioritized by risk Identify data flows Provide ability to mark sources as trusted

Web Application Security Testing

Dynamic Application Security Testing (DAST)
Automated Scanning and Interactive Testing Sends attack in request then evaluates response Tests full application stack as deployed
Can identify vulnerabilities in web app, host, web server, app server, db server, etc.

Tests in context of a user Tests in runtime context

Includes context that may include authorization that is loaded from a db, etc

Web Application Security Testing

SAST
Advantages
Full visibility of security controls in the web application Can identify logic related vulnerabilities not easily discovered by black box testing Accurate with human review for the application itself code doesnt lie Does not depend on testing potentially unlimited paths
Not fooled by filters, etc

Drawbacks

High cost of human resources even with a tool it is very time consuming Not scalable Can only thoroughly test a limited number of apps, limited availability of trained resources High false positive rate with automated tools Unable to identify any weaknesses associated with runtime context
Most access control is loaded from a db no way to evaluate priv escalation Cant find issues outside code reviewed (web server, app server, etc) Cant determine if deployed web app is vulnerable (other controls in place like WAF)

Web Application Security Testing

Automated Testing
Advantages
Able to identify weaknesses associated with runtime context

More cost effective testing takes less time typically than static analysis and validation. Lower false positive rate than SAST

Most access control is loaded from a db can evaluate priv escalation Can find issues outside web app code (web server, app server, etc) Can determine if deployed web app is vulnerable (other controls in place like WAF)

Drawbacks

Cant identify logic related issues Cant identify weaknesses that are not in testing context Does not have visibility into security controls in the web application Cant identify some categories such as time bomb or back door inserted by malicious developer Can only test a limited number of paths
Can be fooled by filters, etc

Web Application Security Testing

SAST
Challenges Scope
What code is included?
Third party libraries

Environment
Some tools require buildable environment which can be hard to setup

Subject Matter Expertise

Best results if performed by someone intimate in development Hard to gain understand of applications just to perform review

Some languages are not well supported

PHP, other languages are not well supported varies by tool

Web Application Security Testing

Testing Method Attributes

SAST

DAST

Identifies Logic flaws Definitive at the application level Identifies risks not visible to external testing (time bomb)

Identifies weaknesses including OWASP top 10 Requires human to validate

Identifies weaknesses outside the app code (web server, etc) Identifies weaknesses in user or runtime context

Web Application Security Testing DAST

Situations in which DAST is most often used:
Source code for application is not available
May be able to identify issues scanning binary but how do you fix?

Limited Resources
Dont need resources able to understand software code Testing usually focuses on most common use cases Usually takes less effort

Limited attack vectors

Code is known to be written with strong review and change control procedures

Web Application Security Testing SAST

Situations in which SAST is most often used:
Web application is a product
Vulnerable products = loss of brand reputation Identification of vulnerability by users is too late

Source code and expertise is available

Best when developers are involved in review Best when integrated into SDLC

Insider Threat
Code may not have been developed under strong review and release controls or may have been acquired in merger, etc.

Web Application Security Testing Conclusions

Both SAST and DAST testing have important roles Generalizations (will always have exceptions):
SAST = more definitive identification at app level/more cost DAST = better identification full solution/less cost

DAST can be used to ensure applications are tested on a regular basis and can be a first line of defense SAST testing can be used when additional depth of testing is required.

10

Web Application Security Testing

Questions

11

Web Application Security Testing Resources

SAST list of static analysis tools
http://en.wikipedia.org/wiki/List_of_tools_for_static_code_anal ysis

DAST list of dynamic testing tools

http://projects.webappsec.org/w/page/13246988/Web%20Application%20Sec urity%20Scanner%20List

12

Thank You
Will Bechtel wbechtel@qualys.com
http://www.qualys.com/products/qg_suite/was/