How to ensure application security

translator |  Li Rui

Reviser |  Sun Shujuan

software architect Bob And security development engineer Alice Is a member of a software development startup . The following is their dialogue on developing a new set of microservices .  

Bob say ：“ Did you hear the notice ？ The client transaction has been finalized . We can start developing analytic applications for the financial services they use on the cloud platform .”    

Alice：“ fantastic ！ So which programming language should you use to build your application ？”  

Bob：“ Not sure yet . It can be based on any software programming language , But more importantly, it must be safe . All our systems and their applications should be covered with the latest security patches , And the software version should always run in the correct configuration .  

I will send you detailed business use cases and technical requirements by email . In short , It will be a rapid development of continuous integration and delivery . What tools do you suggest we use for end-to-end security scanning ？”

Alice say ：“ Of course , I will send you a list of tools , These tools will enable us to detect and fix vulnerabilities before production deployment . I think there needs to be a promising way to scan and eliminate the network security risks that code or applications may bring .”  

Bob say ：“ Great , We prefer open source scanning tools , But if there is one , You can list your insights into popular third-party proprietary tools .”  

Alice Start exploring existing resources on code scanning topics . according to Bob Requirements specification provided , She considered all the key areas , For example, static analysis of code 、 Internet oriented user interface （UI） and API Dynamic analysis of endpoints and vulnerability scanning of dependent packages .  

And a few days passed , She is still confused , Difficult to make a decision , Because most of the information obtained is based on user roles and software availability specifications rather than code centric , Although this is useful from a developer's point of view , And can adapt to the needs .  

The following will provide an in-depth understanding of the contents of each security scanning tool （ This is enough to help Alice Make a decision ）.  

1. Category  

The following are the categories of various security scanning tools ：  

（1）SAST（ Static application security testing ）, Also known as static scanning  

• A white box test process used to analyze application source code to identify the source of the vulnerability ; Coding usually occurs during the application development lifecycle / The quality assurance phase is implemented , Thus, vulnerabilities in the code can be identified and mitigated early .
• Ensure that the application is built in a powerful and secure way from the design stage , And meet the safety coding standard before putting into production .
• Provide SAST Some of our tools include SonarQube、App Scan、IBM Code Risk Analyzer、Fortify Static Code Analyzer、WhiteSource etc. .
• Use SAST Before the tool , The commonly used evaluation criteria are ：

1. Support the required programming languages .
2. Bit error rate .
3. Vulnerability detection accuracy .
4. Level of detail .
5. Clarity of code security analysis results .

（2）SCA（ Software composition analysis ）, Also known as dependency scanning  

• Track open source components in the code base to detect vulnerabilities 、 Potential security and license compliance threats , Enable the team to avoid conflicts with IP、 Conflicts between reputation and expenses should be remedied as soon as possible .
• When static scanning detects vulnerabilities in proprietary source code developed internally , Software composition analysis (SCA) Perform dependency scanning to identify vulnerabilities in open source dependencies 、 Found deprecated dependencies , And evaluate digital signatures . It has almost no false positives , Scanning speed is very fast . No need to access source code , In the software development life cycle （SDLC） Integration at any stage of the , Even late deployment .
• Some offer SCA/ The tools that rely on scanning are White Source Software、GitLab、GitHub、Snyk and Jfrog Xray.
• Use SCA The commonly used evaluation criteria for the tool are ：

1. Knowledge base of open source components and their vulnerabilities .
2. Support for various programming languages .
3. Scanning speed .
4. Easy to use report analysis results .
5. Develop integration capabilities for all phases of the lifecycle .

（3）DAST（ Dynamic application security testing ）, Also known as dynamic scanning /Web Application scanning  

• This is a black box test process , Used to identify applications through penetration testing Web Endpoint vulnerability , And cannot access its source code , Usually when building application quality assurance （QA） And pre production . It explores the running state of the application , And check its response to simulated attacks by the tool , This will help determine if the application is vulnerable , And whether they may face the risk of real malicious attacks .
• Suitable for detecting authentication and configuration problems ; Independent of the language and platform used by the application .
• Some of the tools that provide dynamic scanning are OWASP ZAP、App Scan、Netsparker and Detectify.
• Use DAST The commonly used evaluation criteria for the tool are ：

1. Support API test .
2. Certification scan .
3. DevSecOps（ As CI/CD The ability to fully automate the operation of a part of the pipeline ）.

（4）IAST（ Interactive application security testing ）  

• IAST It's a combination SAST and DAST Advantages of the hybrid test method .IAST Analyze vulnerabilities by detecting applications at run time using agents and sensors . And DAST Different ,IAST You can view the entire code base , And can point to the exact vulnerable location of the code . Besides , And SAST Different , It can catch runtime problems such as misconfiguration , And the false positive rate is the lowest .
• Provide IAST Some of our tools are Veracode and Netsparker.
• Use IAST The commonly used evaluation criteria for the tool are ：

1. Supported technologies .
2. Level of detail that is easy to report and analyze .
3. Execution speed .
4. Extremely low accuracy / No false positive results .

（5） Database security scanning  

• By checking the internal and external configuration of the database （ Like authentication 、 Confidentiality 、 Integrity and availability ） To identify vulnerabilities in database applications .
• Some of these tools are Scuba、Zenmap and SQLRecon.

2. Tools  

（1）WhiteSource Scan

WhiteSource have SAST and SCA Function to perform security scanning of code .SAST Capability can be used to detect vulnerabilities in source code ,SCA Can be used to detect vulnerabilities in open source dependencies .WhiteSource Help developers fix bugs . It is associated with Jenkins、Bamboo、AzureDevOps、GIT and TFS Integrate .  

（2）SonarQube

SonarQube Is an open source platform for checking code quality , And with GitHub、BitBucket、GitLab、Maven、Gradle、Travis、Jenkins、Bamboo and Azure DevOps Integrate .SonarQube Key indicators can be measured , Including mistakes 、 Code defects 、 Security holes and duplicate code .SonarQube Support the creation of SonarQube plug-in unit , This helps you customize your code rules .  

（3）IBM CRA  

Code Risk Analyzer Get all based on Git Code for 、 Configure and deploy artifacts , Build dependency diagrams , And run compliance control to check the pipeline . It generates a bill of materials (BOM) file , It lists the dependencies of all third-party operating system packages and application packages . It will find the BOM (BOM) Vulnerabilities in the package listed in the file .Code Risk Analyzer Support only IBM CloudContinuous Delivery managed github.com The repository 、Git Repository and issue tracking Repository . It can enable CRA To scan pull requests and merge .  

（4）HCL AppScan

HCL AppScan It's a comprehensive one 、 Cloud based application security solutions , And build environment 、DevOps Tools and IDE Integrate .AppScanon Cloud Provide a complete set of testing technology （SAST、DAST、IAST And open source ） To provide the widest coverage . It can be used AppScan UI Set false alarm .  

（5）Gosec

Gosec It's a security tool , It can be done to Golang Static code analysis for security vulnerabilities of the project .Gosec By loading all the source code into AST（ Abstract syntax tree ） Come to work , And apply a set of built-in rules to find common errors , For example, secrets in code . It allows //#nosecG101G102 Identify false positives .  

（6）OWASP ZAP  

Zed Attack Proxy（ZAP） It's a free 、 Open source dynamic scanning tool , By open Web Application Security Project （OWASP） maintain .ZAP Specially designed for Web Designed for application penetration testing . It sets alarm filters to set false positives .  

3. Tool comparison

Conclusion  

Even though Alice No previous experience in operating security scanning tools , But she doesn't want to try every tool , Because they bring the cost of integration problems to the prototype new software application environment .  

The choice of security scanning tools is an important decision that the team must make . The findings will further lead to key decisions , For example, prevent code delivery in case of security scan failure , Or in the case of dynamic code scanning , Record the auditable traceability process to confirm the safe acceptance of the test （ That is, accept or ignore the wrong positive number ）.

And after understanding the details of these tool comparisons ,Alice Recommend these tools to Bob, And these tools will soon be shortlisted .

about Bob Come on , Significantly avoiding bad scanning tools is more important than finding the best tools .Alice and Bob I am very happy for this , Because it can save more time , Let them focus on the actual business needs to develop products .

Original title ：​​Take Control of Your Application Security​​, author ：Josephine E. Justin,Deepika Kothamasu,Swathi Pemmaraju