Denys Rudyi - Fotolia
Automated application security testing tools are critical as software applications come with a broad attack surface for cybercriminals to potentially exploit. With over a quarter of them having one or more serious vulnerabilities, applications are easy targets. The consequences of an attack can be devasting for both the application owner and its users, exposing both to financial loss and reputational damage. Even when security is built into the design and development stages of an application, vulnerabilities can still creep in. However, in modern continuous integration and continuous delivery (CI/CD) environments, where time is critical and manual code reviews and traditional test plans are time-consuming, IT admins often struggle to comprehensively oversee large, complex applications.
Automated application security testing tools can help developers identify software defects early in the CI/CD pipeline -- when they are easiest to detect, cheaper to resolve and overall less likely to disrupt the next development cycle.
Various laws and standards, such as PCI DSS, HIPAA and NIST 800-53, mandate or require the use of application security testing tools to address risk management requirements. The recent GDPR and California Consumer Privacy Act have also dramatically increased the amount of potential fines for organizations that don't take the appropriate steps to safeguard data.
Benefits of application security testing tools
The latest crop of application security testing tools enables software development teams to regularly check their code base to catch and fix bugs and vulnerabilities throughout the development, deployment, upgrade and maintenance of an application, greatly reducing the risk of a security incident. Commercial and open source application security testing tools and services are widely available, and although they will incur some initial costs, companies will ultimately spend fewer resources to remediate vulnerabilities and possible security incidents.
Application security testing tools can also free developers from tedious work, improving overall productivity. Modern tools incorporated into a developer's integrated development environment (IDE) enable the option to scan smaller sections of code more frequently, providing immediate feedback on potential issues. Application security testing tools not only find vulnerabilities, but also potential weaknesses in the code and its execution, halting the build process, if necessary, until admins remediate the problem and verify resolution. These tools offer repeatable tests that scale well and generate metrics to show how many issues admins detect and fix; track improvements in each developer's code; and track security issues so they don't get overlooked or ignored.
Types of application security testing tools
There are three main types of app security testing tools:
- Static application security testing (SAST) tools analyze source code and compiled versions of code to find security and source code errors.
- Dynamic application security testing (DAST) tools find vulnerabilities while the software is in use. Interactive application security testing (IAST) is a hybrid architecture that combines SAST and DAST capabilities.
- Application penetration testing involves scanners that search for exploitable vulnerabilities and attack vectors, such as cross-site scripting, SQL injection, improper configurations and insufficiently protected credentials.
Mobile application security testing tools for mobile apps and application security testing as a service (ASTaaS) are two other options teams should consider depending on the nature of their environment. Also, as every project will include some third-party and open source components, a software composition analysis (SCA) tool is important in order to meet compliance regulations as it identifies components and libraries used in an application and checks for vulnerabilities.
How to choose the right application security testing tool
No single application security testing tool will uncover every type of security issue. So, admins must plan for a combination of tools in the long run but should attempt to integrate tools as early as possible into the software development process. By automating the search for coding flaws, fixing security defects can become a routine, everyday task similar to fixing functional defects. SAST, along with an SCA tool, is the most common starting point for initial code analysis and will help fix the most common weaknesses and ensure code adheres to coding standards, particularly when the application is written in-house or the team has access to the source code.
Not all security issues are detectable during the software development phase, however, particularly if the source code is unavailable. Many issues only come to light when the application is in use, hence the need for DAST scanners, which crawl a running application before scanning it. This lets the scanner find all exposed input and access points within the application, which are then subsequently tested for a range of vulnerabilities by the scanner. Assessing how the interaction of different components affects security is an important part of reducing an application's attack surface.
The drawback with DAST is that admins must run the tests at a later stage in the software development lifecycle (SDLC), making it more costly to fix the vulnerabilities they discover. IAST tools generally run on the application server, functioning as an agent providing real-time detection of security issues by analyzing traffic and execution flow from within the application. The results can usually feed directly into an issue tracking tool.
The big advantages IAST has over SAST is that its false positive rate is normally a lot lower and it can handle third-party vulnerability detection to identify problems caused by external or open source components. IAST tools can operate during development, quality assurance and even in production as there is little effect on overall performance.
A team's development philosophy will also influence the choice of tools. SAST tools fit well into a Waterfall SDLC, as do DAST tools, whereas an Agile or CI/CD environment is better suited to IAST tools as they have a smaller time effect on the development cycle. One important, but often overlooked, feature is reporting. Tools that produce reports that all stakeholders can sufficiently comprehend will help project managers communicate risk and overall security posture. If resources and skill limitations make on-premises options a challenge, buyers should consider ASTaaS to hand off testing to a cloud service.
Any application security testing tool obviously needs to support whatever coding languages an application uses and integrate into the development pipeline, into the target platform -- such as mobile or web -- and with existing IDEs. If the development team doesn't include a security specialist or have the support of a dedicated security team, then they must pay extra attention to a potential tool's ease of setup and configuration as developers won't want to lose time in the setup process.
The size and geographic distribution of the development team, along with budget, will determine which features are necessary in an application security testing tool. Large teams located in different offices or countries will need a tool that can coordinate the management and reporting of all the different application security testing tools running in each location. If the team has less-experienced developers or if past projects contained a high number of bugs and weak coding practices, then e-learning functionality can improve the quality of code going forward.
Buyers should always ask to see a demo and take advantage of free trials to compare them against open source products and to ensure the features and capabilities are worth the investment. It's always possible to complement commercial tools with open source tools if the budget is limited.
Some leading application security testing tools
Checkmarx provides a full range of tools from SAST, IAST, SCA and just-in-time training to educate developers on specific challenges. It comes with a range of implementation options, from private cloud to on-premises systems, all on a centralized platform to manage each tool. According to company case studies, customers have found setup to be straightforward, particularly combining automated scans with code collaboration tools, such as GitHub, GitLab, Bitbucket and Azure DevOps. Its mobile application security testing platform supports more than 22 coding and scripting languages and their frameworks, with zero configuration necessary to scan any language.
Companies choose Checkmarx over other options because of its ease of integration and ability to run automated scans on more than 100 different applications. One particular banking client also utilized its integration with Jira to assign vulnerability remediation to the relevant developer. Another client reduced development cycle times by scanning only new or altered code instead of running a full scan of the entire database, no longer requiring a dedicated engineer to write rules to automate the false positive elimination process.
Synopsys offers a full range of tools from SAST to IAST, including a plugin that integrates security analysis into IDEs, such as IntelliJ, Eclipse or Visual Studio. This plugin enables developers to correct security flaws in their code as they write without having to switch back and forth between tools. It also provides remediation guidance with context-sensitive e-learning lessons specific to any common weakness enumerations identified in a developer's code, helping avoid similar mistakes in the future. This is a great way to improve security awareness and coding skills of a development team.
The Synopsys Black Duck SCA tool maps open source and third-party components to known vulnerabilities, monitors for new vulnerabilities, and enforces component use and security policies. Its IAST tool, Seeker, monitors web application interactions in the background during normal testing, reporting any vulnerabilities, as well as the relevant code. According to Gartner Peer Insights, users say it requires little configuration, making it easy for developers and testers to run checks on a regular basis. One company, according to a Flowbird case study, required to meet PCI DSS Section 6 regulations turned to Seeker to understand how data flows through its payment systems and identify vulnerabilities in relation to their impact on sensitive data, resulting in improved security, less time spent on security testing, and improved communication between security and R&D.
Veracode provides a scalable, cloud-based service for application security and software testing. Its platforms enable end-to-end automated web testing and mobile app testing. As an on-demand SaaS system, it enables teams to more easily control costs, with users only paying for services needed. Veracode also offers penetration testing to manually test web, mobile, desktop, back-end and IoT applications to identify vulnerabilities automated testing can't find.
Veracode also offers Security Labs, which teaches secure coding practices through interactive web apps based on modern threats that developers often exploit and patch. The labs-based approach to developer enablement can speed up flaw resolution and help developers avoid flaws altogether, improving skills and overall awareness of secure coding practices. A free version, Security Labs Community Edition, is also available to any developer worldwide.
Additional app security testing tool options
Other notable vendors include the following:
- HCL AppScan has a full suite of testing technologies.
- Kiuwan offers flexible licensing on its SAST and SCA tools.
- AppSpider from Rapid7 is a full-featured DAST that is competitively priced as an alternative to the larger players.
- Fortify Application Security from Micro Focus offers flexibility with security testing available as a service or on premises.
- WhiteHat Sentinel application security platform is tailored for Agile development teams that need security integration with their tools, as well as for security teams that need a continuous testing platform. It supports mobile AppSec testing as well.
- Netsparker's web security scanner consistently scores highly in third-party benchmark tests, identifying vulnerabilities with zero false positives, making it especially beneficial to environments where delivery times are critical.
The right application security testing tools can decrease time to market, while cutting the costs of development, maintenance and remediation. While monitoring and protecting the production environment are still essential, by preventing vulnerabilities from making it through to the end product, application security testing tools greatly reduce the chances of a security breach -- and the often dire consequences that follow.