This is a brief whitepaper that goes over some tooling that can be of assistance while performing reconnaissance against a web application prior to attack.
Packet Storm
Over the past several years, there have been many changes to software development and software security, including new and enhanced application security (AppSec) scans and architectural shifts like serverless functions and microservices. But despite these advancements, our recent State of Software Security (SOSS) report found that 76 percent of applications have security flaws. Yet CISOs and application security program owners still find themselves having to justify and defend application security initiatives.
Members of the Veracode Customer Advisory Board (CAB), a group of AppSec professionals in several industries, faced this challenge as well. In response, a working group subset of the CAB collaborated to establish a set of metrics that security professionals can use to establish, drive adoption, and operationalize their application security program. These data points should help inform decisions at different stages of program maturity while answering the basic question: is the application security program effective or not?
How to determine and justify the required resources for an application security program
AppSec managers need a justi?ャ?able AppSec approach and dataset that set parameters around the program, give a starting point, and set up how the program will grow over time. That approach starts with providing evidence that an application security program is necessary and that it will reduce risk.
To show that an AppSec program is necessary, call attention to data points around flaw prevalence in applications (76 percent) or the average cost of a data breach ($ 3.86 million).
To show that AppSec programs reduce risk, consider stats like the one from our SOSS report that found that organizations scanning for security the most (more than 300 times per year) fix flaws 11.5x faster than organizations scanning the least.
How to determine and prove that development teams are adopting software security practices
AppSec success hinges on development buy-in and engagement. Therefore, proving that your AppSec program is effective requires evidence of developer adoption.
Consider highlighting the rate at which development teams are taking advantage of APIs to integrate security into their processes Then prove that developers are taking the time to fix the identified flaws by showing your developer???s fix rate (the # of findings closed / the # of findings open).
By examining the fix rate, you can see if developers are actively adopting AppSec practices by fixing ??? not just finding ??? vulnerabilities. The fix rate also shows you where additional training or resourcing investment is needed.
How to determine if the application security program is operating efficiently
AppSec programs are meant to be ongoing ??? not a one-off project with an end date. An effective AppSec program is ultimately a component of the software development process, just like QA, and the measures of success need to reflect that.
A key metric here is the correlation between security activities early in the development process and the number of security flaws found in a release candidate or in production. For example, the figure below shows the relationship between security testing early in the development process, in the individual IDE of a software developer, and the number of flaws found in the release candidate.
In addition, use metrics to show that you???re fixing more flaws than you???re finding.
Or show that your applications are passing your security policy.
By using the metrics established in the CAB report, and adding further context and background to the metrics, you can tell the story of your AppSec program to drive further adoption.
For more tips on proving the success of your AppSec program, including additional metrics, check out our full report, Communicating Application Security Success to Your Executive Leadership.
If you???re looking to start or optimize an AppSec program in 2021, the Forrester WaveTM report is a good place to begin your research. The report not only details essential elements of AppSec solutions, but also ranks 12 static application security testing (SAST) vendors based on their current offering, strategy, and market presence.
Development speeds and methods are changing and the requirements for a SAST solution are evolving as well. Forrester notes that SAST providers need to build their security solutions into the software development lifecycle (SDLC); integrate them into the CI/CD pipeline; protect new architectures like containers; and provide accurate, actionable results.
To help development teams and security and risk professionals identify the industry???s foremost SAST providers, Forrester conducted a 28-criterion evaluation. The research and analysis identified Veracode as a leader among SAST providers. The Forrester report noted, ???For firms looking for an enterprise-grade SAST tool, Veracode remains a top choice.???
The Forrester report specifically mentions, ???Veracode has invested in the developer experience.??? Veracode???s SAST offering is fully cloud-based and offers three different levels of scans that aid developers:
- IDE Scan provides focused, real-time security feedback while the developer codes. It also helps developers remediate faster and learn on the job through positive reinforcement, remediation guidance, code examples, and links to Veracode application security (AppSec) tutorials.
- Pipeline Scan happens in the build phase. It directly embeds into teams??? CI tooling and provides fast feedback on flaws being introduced on new commits. It helps answer the question, ???is the code my team is writing secure????
- Policy Scan reviews code before production to ensure that applications are meeting policy compliance and industry standards. It helps answer the question, ???are my organization’s applications secure????
Veracode also offers Security Labs, which trains developers to tackle evolving security threats by exploiting and patching real code. Through hands-on labs that use modern web apps, developers learn the skills and strategies that are directly applicable to their organization’s code. Detailed progress reporting, email assignments, and a leaderboard encourage developers to continuously level up their secure coding skills.
We believe prioritization is another important strength for Veracode. As the Forrester report states, ?????ヲVeracode???s graphical representation of code flaws according to risk and ease of fix [are] unmatched in the market.??? In addition, the report states, ???References complimented Veracode’s premium support,??? and Veracode is highly rated by customers for remediation guidance. As one customer stated, ???the relationship [with Veracode] really stands out.???
Learn more
Download The Forrester WaveTM: Static Application Security Testing, Q1 2021 report to learn more on what to look for in a SAST vendor and for more information on Veracode???s position as a Leader.
Thousands of small business owners reeling from the aggressive measures taken to halt the spread of the coronavirus may have had their personal information exposed last month on a government website that handles disaster loan applications.
read more
Originally posted on 12/28/2016
It seems so tempting. Solve your application security problem by throwing an appliance at it. After all, if web applications are the most common form of attack, why not just protect them the same way you protect your network and email servers, and be done with it? Why should you spend timeツ?hunting down vulnerabilitiesツ?in your code and figuring out how to fix them?
The ???appliance throwing??? approach would be viable if web application firewalls (WAFs) were perfect, but protecting your app layer with only a WAF leaves a lot of holes. WAFs, at their heart, are black-box protection technologies that rely on inspecting incoming traffic for known attack patterns ??? and that???s often not enough. There are circumstances where WAFs will leave you vulnerable to attack, for instance:
ツ?
Missed attack due to new patterns
A WAF tries to use known attack patterns to protect an application. It can be tuned via writing rules, but attackers are coming up with new patterns all the time. In fact, creating WAF bypasses is something of a cottage industry for security researchers, to the point thatツ?you can download cheat sheets for creating WAF bypasses from security researchers like @Pentestit_ru and @themiddleblue, the editor-in-chiefツ?from 1337pwn, or the well-known OWASP foundation.
And that???s not even including the risk of new vulnerability categories. Veracode Community member Mark Merkow from HealthEquity notes, ???Even if a WAF is configured 100 percent correctly and catches and stops attacks it knows about successfully and every time, it’s still at risk for letting new attacks through, including zero-day attacks. With Web Services and API communications as the most likely future form for all apps, WAFs will become less and less useful. What will survive in this new world are well-written, high-quality, resilient applications that can stand up to endless attacks.???
ツ?
Missed attack due to application changes
Based on the results of a penetration test or other evaluation of an application, you can make a WAF very accurate by creating rules that focus on specific input fields and types of vulnerability. However, you have to maintain these rules every time the application is changed. The SANS Institute notes, “During the WAF deployment, everyone involved understands exactly which form fields and inputs are vulnerable and to which attack categories but, over time, this knowledge fades.ツ?Many organizations lack the in-house expertise to conduct penetration tests every time they change the web application or WAF configurationツ?(and miss the opportunity to ensure a vulnerability was not introduced).???
SANS issued this report over five years ago. In the intervening years, the frequency of application updates has only gotten higher thanks to increased adoption of agile software development and DevOps. This means that the window of time during which a WAF configuration should not require updates due to application changes has dramatically decreased.
ツ?
Missed attack due to configuration complexity
The same SANS report notes that it???s not uncommon for WAFs to be extended to cover more applications than they can handle, to fail under high load, or to have a high number of false positives. For this reason, some organizations configure their WAFs to alert only in the event of a potential attack, rather than try to block it ??? which means that a successful attack will likely be missed in the midst of other alerts from the WAF.
There are definitely still benefits to deploying WAFs, including avoidance of denial of service attacks and???when properly configured??? some protection against an attack. If nothing else, they slow an attacker down.
ツ?
No application security silver bullet
Effective application security requires multiple technologies that protect apps in different ways and in different stages of their lifecycle. As Veracode Community member, Glico Man, said in a recent comment, ???WAF is a ???safety net??? and may provide ???virtual patching??? until the application code is fixed??ヲ A well-configured WAF will provide more time for a developer to fix their code.???
If you???re going to use a WAF, you won???t be protecting your products from attack indefinitely. So use the time a WAF gives you wisely; figure out where the underlying vulnerabilities are in your application and fix them. For instance, consider an automated application security solution that integrates into your SDLC, allowing developers to find and remediate security-related defects early in the development process.
ツ?
Cyberattackers are increasingly focused on the application layer; it???s critical to understand both how this layer is being exploited, and which solutions protect it most effectively. To learn more about application security solutions and where to start, check out the Ultimate Guide to Getting Started With AppSec or visit the Veracode Community page. ツ?