You’ll often hear that the primary reason cyber-attacks are rising, year on year, is down to their evolving sophistication. But maybe the problem’s more straightforward than that?
The numbers certainly suggest they are, according to Verizon’s 2022 Data Breach Investigations Report – the eminent publication now in its 15th year with a comprehensive, long-term view of the changing threat landscape. Once again, it reports web applications, mail servers and online data are the most popular points of external attack – and in terms of vulnerability, these assets are known to be a relatively easy way in.
It’s clear that cyber-criminals are targeting the same flaws in web applications and associated infrastructure that they’ve been successfully exploiting for more than a decade. Moreover, ever increasing numbers of new threats expand the number of flaws available to exploit. The timeless list in the Verizon report places web applications (56%) and mail servers (28%) at the top of the asset list for data breaches
That makes sense as these assets are the most likely to be internet-facing. So, they’re a happy hunting ground for attackers to slip through an organisation’s perimeter. It shouldn’t be that way; this article highlights the latest thinking, techniques and tools that can turn the tide and close internet-sized loopholes in web application security.
What is DAST and how does it work?
The go-to tool for many organisations is Dynamic Application Security Testing (DAST). Think of it as employing a burglar to break into your home.
Now, imagine their target is a physical building. If they were a DAST scanner, they would first examine the locks on the windows and doors – the most common and obvious points of entry. Then they would attempt to break in through multiple ways and means (in DAST terms, blitz the servers with simulated attacks). But here’s the friendly bit: after lots of attack simulations, your burglar would report back and explain how and where they were able to gain entry. That’s how DAST works in a nutshell.
Think like a hacker
Much like the hacker’s perspective, when you set a DAST scanner to work on your web applications (and servers), it actively seeks out vulnerabilities.
Crucially, DAST does this is in a live environment. The DAST tool tests a running web application from a ‘black-box’ or ‘outside-in’ perspective – it looks at inputs and outputs without seeing the source code. It gathers as much information as possible about the target. And it crawls the pages and extract all inputs to expand the attack surface. Then in scanning mode, a DAST tool simulates a real attack and observes how the application reacts to different attack vectors.
This information is useful for understanding where and how to address the vulnerabilities, such as SQL Injections, stolen credentials, cross-site scripting (XSS), local file inclusion (LFI), server-side request forgery (SSRF), XML entities (XXE)… the list goes on. While more-advanced DAST tools also allow you to create custom attack scenarios.
DAST vs. SAST
While it is recommended to scan source code to find vulnerabilities using Static Application Security Testing (SAST), DAST is the most effective method to protect a live web application. With DAST, you can determine if an external attacker can exploit when the full application is running with all its components.
What DAST and SAST have in common is their integration into the software development lifecycle (SDLC). With both tools, you can test applications as they evolve, and detect and remediate security risks before they become serious risks. Advanced DAST enable developers to run scans and remediate issues early in the development process.
DAST strengths and limitations
DAST tools, in contrast to SAST, examine an active web application, not the source code. As a result, they detect vulnerabilities that SAST techniques cannot, such as weak cyphers, memory leaks, session concerns and authentication problems.
In line with a black-box technique, DAST tools analyse all web apps in the same way – independent of the underlying programming languages or technology. DAST tools search for vulnerabilities in the infrastructure as well as the web application by looking at middleware and application systems including web servers, databases and proxies.
While they indicate the existence of a vulnerability, DAST cannot pinpoint the exact location in the code (because they don’t access the code). So, developers or testers must identify and fix the faulty code themselves. There’s also an issue with false positives – incorrectly flagging issues – when automated tools don’t understand expected behaviours of a web application feature.
Another limitation is DAST tools send attacks that may modify, delete, or corrupt existing application data. For this reason, all tests should be performed in a non-production environment. Finally, depending on how they are configured, DAST tools may not cover 100% of the application, which means they could miss some vulnerabilities.
Advances with IAST
An extension of DAST is Interactive Application Security Testing (IAST). This offers a best-of-both testing approach. It analyses source code of the web application while it is running. As a result, it can identify more vulnerabilities with a lower rate of false positives.
When IAST tools analyse the codebase of the running application they can show the exact location of a vulnerability. This includes open-source libraries and frameworks to filter out false-positive public vulnerabilities of a particular library. A time-saving advantage over DAST tools in general.
IAST offers a few more advances that complement SAST and DAST. It performs all its analysis in the app in real-time and at any point on the SDLC. And it addresses the entire application: all code, runtime control and data flow information, configuration, http requests and responses, plus libraries, frameworks and backend connection information. Access to all that information allows the IAST engine to cover more code, produce more accurate results and verify a broader range of security rules than SAST or DAST alone.
However, IAST web application security tools can be complex to set up. Let alone interpreting the reports and identifying how to fix problems. And with IAST, developers need to run tests that fully encompass the web application – what you cannot measure, you cannot manage. If buying SAST, DAST and IAST and running these tools sounds expensive, there are some as-a-service options worth considering.
SIRE recommends Pulse360 WebProtect
Web application security testing as a service is provided by Pulse360™ WebProtect across all assets. With its capacity to crawl complicated online apps and essentially anything else that is browser-accessible, the tool can accomplish this at scale. Even portions of your websites and unique web applications that are password-protected and have multi-level forms can be scanned.
WebProtect offers hybrid capabilities. You can test applications outside-in (DAST) and inside-out (IAST). So, for example, you can pinpoint the exact location and the root cause in the code block. At any point on your SDLC, WebProtect gives you all the information that you need to fix the issue quickly and easily. Plus, it verifies security issues which virtually eliminates false positives.
Finally, WebProtect offers an unrivalled depth. It scans for over 7,000 web vulnerabilities. Plus, it checks for misconfigurations, unpatched software, weak passwords, exposed databases and more. It’s also delivered with the help of security testing expertise that is often unavailable in-house. Thus, reducing the time to value of the investment.
When it comes to web application security, WebProtect can help you slam the door shut and keep it closed.
Get in touch for advice on security testing and web application performance