WP What is Application Security Testing (AST) | Tools & Best Practices | Imperva

Application Security Testing

40.5k views
Testing and Assessment

What is Application Security Testing

Application security testing (AST) is the process of making applications more resistant to security threats, by identifying security weaknesses and vulnerabilities in source code.

AST started as a manual process. Today, due to the growing modularity of enterprise software, the huge number of open source components, and the large number of known vulnerabilities and threat vectors, AST must be automated. Most organizations use a combination of several application security tools.

Application Security Testing

Static Application Security Testing (SAST)

SAST tools use a white box testing approach, in which testers inspect the inner workings of an application. SAST inspects static source code and reports on security weaknesses.

Static testing tools can be applied to non-compiled code to find issues like syntax errors, math errors, input validation issues, invalid or insecure references. They can also run on compiled code using binary and byte-code analyzers.

Dynamic Application Security Testing (DAST)

DAST tools take a black box testing approach. They execute code and inspect it in runtime, detecting issues that may represent security vulnerabilities. This can include issues with query strings, requests and responses, the use of scripts, memory leakage, cookie and session handling, authentication, execution of third-party components, data injection, and DOM injection.

DAST tools can be used to conduct large-scale scans simulating a large number of unexpected or malicious test cases and reporting on the application’s response.

Interactive Application Security Testing (IAST)

IAST tools are the evolution of SAST and DAST tools—combining the two approaches to detect a wider range of security weaknesses. Like DAST tools, IAST tools run dynamically and inspect software during runtime. However, they are run from within the application server, allowing them to inspect compiled source code like IAST tools do.

IAST tools can provide valuable information about the root cause of vulnerabilities and the specific lines of code that are affected, making remediation much easier. They can analyze source code, data flow, configuration and third-party libraries, and are suitable for API testing.

Mobile Application Security Testing (MAST)

MAST tools combine static analysis, dynamic analysis and investigation of forensic data generated by mobile applications. They can test for security vulnerabilities like SAST, DAST and IAST, and in addition address mobile-specific issues like jailbreaking, malicious wifi networks, and data leakage from mobile devices.

Software Composition Analysis (SCA)

SCA tools help organizations conduct an inventory of third-party commercial and open source components used within their software. Enterprise applications can use thousands of third-party components, which may contain security vulnerabilities. SCA helps understand which components and versions are actually being used, identify the most severe security vulnerabilities affecting those components, and understand the easiest way to remediate them.

Runtime Application Self-Protection (RASP)

RASP tools evolved from SAST, DAST and IAST. They are able to analyze application traffic and user behavior at runtime, to detect and prevent cyber threats.

Like the previous generation of tools, RASP has visibility into application source code and can analyze weaknesses and vulnerabilities. It goes one step further by identifying that security weaknesses have been exploited, and providing active protection by terminating the session or issuing an alert.

RASP tools integrate with applications and analyze traffic at runtime, and can not only detect and warn about vulnerabilities, but actually prevent attacks. Having this type of in-depth inspection and protection at runtime makes SAST, DAST and IAST much less important, making it possible to detect and prevent security issues without costly development work.

Application Security Testing Best Practices

Shift security testing left

New organizational practices like DevSecOps are emphasizing the need to integrate security into every stage of the software development lifecycle. AST tools can:

  • Help developers understand security concerns and enforce security best practices at the development stage.
  • Help testers identify security issues early before software ships to production.
  • Advanced tools like RASP can identify and block vulnerabilities in source code in production.

Test internal interfaces, not just APIs and UIs

It is natural to focus application security testing on external threats, such as user inputs submitted via web forms or public API requests. However, it is even more common to see attackers exploit weak authentication or vulnerabilities on internal systems, once already inside the security perimeter. AST should be leveraged to test that inputs, connections and integrations between internal systems are secure.

Test often

New vulnerabilities are discovered every day, and enterprise applications use thousands of components, any of which could go end of life (EOL) or require a security update. It is essential to test critical systems as often as possible, prioritize issues focusing on business critical systems and high-impact threats, and allocate resources to remediate them fast.

Third-party code security

Organizations should employ AST practices to any third-party code they use in their applications. Never “trust” that a component from a third party, whether commercial or open source, is secure. Scan third-party code just like you scan your own. If you discover severe issues, apply patches, consult vendors, create your own fix or consider switching components.

See how Imperva RASP can help you with Application Security Testing.

Imperva RASP Solutions

Imperva provides RASP capabilities, as part of its application security platform. Imperva RASP keeps applications protected and provides essential feedback for eliminating any additional risks. It requires no changes to code and integrates easily with existing applications and DevOps processes, protecting you from both known and zero-day attacks.

In addition, Imperva provides multi-layered protection to make sure websites and applications are available, easily accessible and safe. These application security solutions include:

  • DDoS Protection—maintain uptime in all situations. Prevent any type of DDoS attack, of any size, from preventing access to your website and network infrastructure.
  • CDN—enhance website performance and reduce bandwidth costs with a CDN designed for developers. Cache static resources at the edge while accelerating APIs and dynamic websites.
  • Cloud WAF—permit legitimate traffic and prevent bad traffic. Safeguard your applications at the edge with an enterprise‑class cloud WAF.
  • Gateway WAF—keep applications and APIs inside your network safe with Imperva Gateway WAF.
  • Attack analytics—mitigate and respond to real security threats efficiently and accurately with actionable intelligence across all your layers of defense.
  • Account takeover protection—uses an intent-based detection process to identify and defends against attempts to take over users’ accounts for malicious purposes.
  • API security—protects APIs by ensuring only desired traffic can access your API endpoint, as well as detecting and blocking exploits of vulnerabilities.
  • Advanced bot protection—analyzes your bot traffic to pinpoint anomalies, identifies bad bot behavior and validates it via challenge mechanisms that do not impact user traffic.