This document discusses interactive application security testing (IAST) and introduces Seeker, an IAST tool from Synopsys. It provides an overview of trends in digital transformation and challenges in application security. It then compares different application security testing approaches and positions IAST as a solution. The remainder describes how Seeker works, how it integrates into the development process, and demonstrates its capabilities like vulnerability detection, data leak prevention, and software composition analysis.

1. © 2019 Synopsys, Inc.1
AppSec Hype or Reality?
Demystifying Interactive Application Security Test (IAST)
Asma Zubair and Kimm Yeo
SIG Product Management and Marketing

2. © 2019 Synopsys, Inc.2
Agenda
Market trends and challenges
AppSec landscape and IAST
Introducing Seeker IAST
Seeker demonstration
Q & A

3. © 2019 Synopsys, Inc.3
The pace of digital transformation today
Source: Accenture 2019 technology vision study
94%enterprises have accelerated or
significantly accelerated pace of innovations

4. © 2019 Synopsys, Inc.4
What’s next?
One of the top five technology trends for next three years
Increased risks and complexity
Enterprises are not just potential
victims, but others’ vectors
Importance of cybersecurity
One of top 5 trends for next 3years
source: Accenture 2019 Technology Vision survey with over 6k business and IT execs

5. © 2019 Synopsys, Inc.5
The pace of digital transformation today
Increased risks and complexity
Enterprises are not just potential
victims, but others’ vectors
Source: Accenture 2019 Technology Vision survey
with over 6k business and IT execs
With digital transformation becoming an even playing field, businesses recognize:

6. © 2019 Synopsys, Inc.6
Current state of cybersecurity
What does cybersecurity
look like today?
close to 50%
businesses store sensitive
data in the cloud 4
67%
security decision makers
believed app security is a
critical high priority
75%
leverage CI/CD for
automation 5
49%
of development lack time
for security testing
Only 23%
have security automation
as part of CI/CD 5
90%
of IT uses open source
software 2
60%
of codebases contain at
least one vulnerability and
license conflicts 2
79%
vectors for breaches:
web apps & software
vulnerability
11B
records breached 1
(and still counting...)
up 5% in last 8 months
Sources:
1. Privacy rights data breaches (link)
2. 2019 Open source security and risk analysis report
3. 2019 Verizon data breach investigation report
4. 2019 SANS cloud security survey results
5. 2018 DevOps and Jenkins community report

7. © 2019 Synopsys, Inc.7
AppSec tools landscape

8. © 2019 Synopsys, Inc.8
Data / Systems / Services
Application Behavior
(business logic, configuration, etc.)
Frameworks
Proprietary Code
OSS OSS OSS OSS
OSS OSS OSS
User Interface and APIs
How can our
developers produce
code with fewer
defects and security
weaknesses (CWEs)
without slowing down?
How do we track an
manage open source
use and the security
and license compliance
risks that come with it?
How do we verify that we’ve addressed exploitable
vulnerabilities and data protection issues before
and after deployment?
Finds security defects
in proprietary code:
- SQL injection
- Cross-site scripting
- Buffer overflows, etc.
Static Analysis
Finds open source
component risks:
- Known vulns
- Hidden dependencies
- New vuln alerts
Software Comp
Analysis
Finds vulnerable app behavior:
- Configuration & Authorization issues
- Data leakage
- Business logic flaws
Dynamic Analysis

9. © 2019 Synopsys, Inc.9
Building a secure SDLC toolchain
Code
development
Code commit Build Test Deploy
Production
Release
SCA, SAST,
(Deeper level)
Lightweight IDE
SAST tools
Monitoring
Pen testing
Red Teaming
TM, SAST
Manual code
review
DAST
Fuzz testing
Pen testing
Load/Performance test
Hardening checks

10. © 2019 Synopsys, Inc.10
Building secure software
is more challenging than ever
Languages
Frameworks
Open Source
Agile
CI/CD
DevOps
Web/Mobile
Containers
Cloud

11. © 2019 Synopsys, Inc.11
The challenges of building security into modern
application development and delivery
How do we integrate and
automate dynamic security
testing into our CI/CD?
How do we identify
and prioritize the most
severe vulnerabilities?
How do we minimize
the effort for developers
to find and fix
vulnerabilities?
How do we maximize
application security
AND
development velocity?
Sec

12. © 2019 Synopsys, Inc.12
Interactive Application Security Testing (IAST)

13. © 2019 Synopsys, Inc.13
Build continuous security into SDLC
How do you take siloed, disparate development, operations and
security processes and transform to an integrated tool chain?
Code
development
Code commit Build Test Deploy
Production
Release
Functional
Non- FunctionalSCA, SAST,
(Deeper level)
IAST
(Continuous run-time
text)
Lightweight IDE
SAST tools
DAST
Fuzz testing
Pen testing
Load/Performance test
Hardening checks
Monitoring
Pen testing
Red Teaming
IAST
(Continuous runtime
test)
TM, SAST
Manual code
review

14. © 2019 Synopsys, Inc.14
IAST runtime testing & analysis
• Analysis of code execution using runtime monitors
• Visibility into executed code and runtime data,
such as:
• HTTP Requests – End to End
• Parameter Propagation
• HTTP Response Writing
• Database Calls
• Database Responses
• File System Calls (& Content)
• String Manipulations
• Memory (Like Debugger “Watch”)
• Usage of 3rd Party Libraries
• Web Services Calls
• On-the-fly Code Generation
• More…
…

15. © 2019 Synopsys, Inc.15
Comparison of SAST, IAST, and DAST
SAST IAST DAST
Typically used in Development Integration and QA QA or production
Usually requires Source code Functional app and test
suite
Functional app
Integrates in CI/CD Yes Yes No, not really
Capabilities • Finds vulnerabilities
earliest in the SDLC
• Gives fast line of code
insights
• Finds vulnerabilities
during functional test
(no scans required)
• Gives runtime and line
of code insights in real
time
• Finds vulnerabilities
w/o source code or
test suite
• Requires expertise
and time to triage and
prioritize findings

16. © 2019 Synopsys, Inc.16
Introducing Seeker IAST

17. © 2019 Synopsys, Inc.17
Seeker
Seeker is our interactive application security testing tool
– Performs run time security testing
Seeker performs security testing on:
– Web apps
– Web APIs, or services
– Mobile application back-end (where a mobile app’s critical functionality
resides)
– Detects vulnerabilities in custom code as well as 3rd party code
Applications can be:
– on-premises, in the cloud, containerized
Seeker detects
– Injection flaws
– Security misconfigurations
– Sensitive data leakage
– and many more types of vulnerabilities

18. © 2019 Synopsys, Inc.18
Seeker - Automated security testing made easy
• Automatically verifies
vulnerabilities
• Creates specific Jira
tickets for developers
• Instant notification to
developers via slack or
email
Automated
Verification
Easy for Development
• ANY functional test
becomes a security test
• Continuous security testing
with results in real time
Automated
Testing
Easy for QA
• Deploy and run
via CI/CD
• Compatible with existing
automation tools
• On-premises and cloud-
based apps
Automated
Deployment
Easy for DevOps

19. © 2019 Synopsys, Inc.19
http://...
How Seeker works
Your
Application
Seeker Enterprise
Server
vulnerabilities
2
3
1 Application receives
HTTP request.
Agent analyzes code and
memory, focusing on
security-related activities
like encryption, SQL, file
access, LDAP, XPath, etc.
Results are actively
verified and reported
along with vulnerable lines
of code, runtime data, and
verification proof.
2
3
1
Seeker
Agent

20. © 2019 Synopsys, Inc.20
Seeker integrates seamlessly into the DevOps toolchain
Connect directly to Jira and your CI/CD tools with APIs and integrations
testcode operatebuild deploy
Developer
commits
the code
Functional
testing done
Build pass/fail
decision
(based on testing status)
App and Seeker
are deployed in
test environment
The build
is made
Vulnerabilities
pushed in

21. © 2019 Synopsys, Inc.21
Active verification ensures accurate results
Patented active verification engine minimizes false positives
• Automatically re-tests detected
vulnerabilities to verify that they
are real and can be exploited
• Quickly processes hundreds of
thousands of HTTP(S) requests
• Provides risk-prioritized list of verified
vulnerabilities to fix immediately

22. © 2019 Synopsys, Inc.22
Configurable sensitive data tracking
• Define parameters and patterns to identify
sensitive data in your application
• Track exposure and leakage through URLs,
logs, UI, DB, etc.
• Verify compliance with standards including
PCI, HIPAA, and GDPR
Verify security and data protection compliance by tracking leakage of any type of sensitive data

23. © 2019 Synopsys, Inc.23
Integrated eLearning
• Seeker is now integrated with Synopsys eLearning.
– Requires eLearning account/contract
• Contextual online training helps developers
understand and remediate vulnerabilities.

24. © 2019 Synopsys, Inc.24
Insight into open source use and risks
• Get visibility into supply chain risks
• Comprehensive bill of materials
• Vulnerable components
• Risk-ranked vulnerabilities
• Open source licenses
Integrated Binary Software Composition Analysis identifies vulnerable components used in code

25. © 2019 Synopsys, Inc.25
Seeker In Action
Demonstration

26. © 2019 Synopsys, Inc.30
Why Seeker ?
Designed for seamless integration
• Easy to automate or integrate into CI/CD pipeline
• Easy to deploy and configure
• Optimized for security, development and DevOps teams
Privacy and compliance
• Only AST tools with complete sensitive data tracking
• Provide results in compliance with OWASP Top 10, PCI DSS, GDPR, CAPEC
• Integrated Binary Software Composition Analysis for OSS dependencies
Developer empowerment
• Accurate findings with real time verification to help prioritize remediation
• Integrated eLearning with contextual learning on the job
• Instant alert (slack, email, webhooks) and remediation advice
Designed for scale
• Support large-scale, modern app deployments
• Framework agnostic with broad language coverage
• Comprehensive checkers

27. © 2019 Synopsys, Inc.31
Seeker helps organizations with their application security testing needs
No security testing
in place
• Seeker is perfect
as a starting tool for
automated security testing
• Security expertise
not needed
Ad-hoc security testing
Start using Seeker
during functional testing
to find vulnerabilities
early and cut down
on pen-testing
resources/cost
Ready to integrate
security in CI/CD
Integrate Seeker in
CI/CD pipeline and
automatically fail the
build if critical security
vulnerabilities are
detected
Regardless of their maturity in application security risk management process

28. © 2019 Synopsys, Inc.32
Q & A

29. Thank You
Follow us on twitter :
@zubaira, @kimm_yeo