Adding DAST to the Software Security Mix
The speed of software development is accelerating. The integration of software development and operations–DevOps–made it possible and desirable for teams to write code, commit, merge and deploy code as fast as possible. No more waiting for major releases or patches: let’s get the features out into the world in as close to real time as possible.
For a long time, security professionals were considered outsiders in this process. Security was often considered a drag on the process; the people who, with their time-consuming scans and processes, slowed down the development process.
But as we have seen in recent years, like the pace of software deployments, the pace of cyberattacks is speeding up, and companies ranging from major corporations to small businesses are affected. A data breach means you lose assets or confidential information, as well as the trust and loyalty of your customers and employees. It means losing all of this to your competition.
Because these attacks are becoming so ubiquitous, it behooves all of us to ensure that security is no longer an afterthought. Call it DevSecOps, call it what you will, but the new paradigm is one where security has a seat at the table within the Software Development Life Cycle (SDLC) alongside development and operations, as equals.
Application security testing can be broken down into two major forms–dynamic and static. Static forms of testing include Software Composition Analysis (SCA), and Static Application Security Testing (SAST). SCA looks at the various components and dependencies in the software, comparing it to databases of known vulnerabilities. SAST, on the other hand, scans the source files and code of the application to find security flaws. Both can be done without the application running (hence being “static”).
Dynamic tools, on the other hand, scan the application while it’s running–because there can be a huge difference between code running in a browser (web app) and the code that’s sitting in a repository. Dynamic Application Security Testing (DAST) tests how the application performs while running, in some sense simulating the actions of a hacker–looking for exposed interfaces–because there are times when applications are so huge and complex that no one person has an accurate inventory of the endpoints. However, that doesn’t mean there is any less of a need to test them!
DAST automation tools could still be considered a nascent market, but there are several notable free and paid tools in this space. In terms of free tools, one of the most popular and accessible comes from the The Open Web Application Security Project (OWASP), a non-profit organization that promotes software security through educational resources and open-source software. In particular, OWASP’s Zed Attack Proxy (ZAP) tool is one of the most widely used penetration testing (pentesting) tools on the market. ZAP has two major modes: “passive”, which spiders the site to search for vulnerabilities, and “active”, meaning it sends attacks to your website to simulate an attack.
SOOS is excited to announce that our DAST tool, based on the OWASP ZAP tool, is slated for release in Q1 of 2022. Like our SCA solution, our DAST scanner focuses not only on security, but also on convenience and efficiency–which is why we’ve made sure that, with just a few configuration steps, our DAST tool can be smoothly integrated with most of the popular CI/CD systems being used today, including Jenkins, AzureDevOps, Travis, GitLab, Circle CI, GitHub Actions, and more.
Finally, check out SOOS’s SCA tool right now and reap the benefits of having an open source vulnerability scanner, setup policies to govern your org’s open source license usage, and generate a Software Bill of Materials (SBOM). Static and dynamic tools can play different but complementary roles in defining your security posture, offering coverage and insights that either one alone could not. We look forward to you trying out our SCA and (soon) DAST tools!