Abstract: Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are: • An understanding the real value of each type of AST tool (SAST, DAST, IAST); • How to leverage your tools for better security visibility and process efficiency; • Steps to find the right tool for your security program; • Keys to finding the best stage of the SDLC to implement each tool type within your security program; • How to integrate new tools with your existing DevOps or Agile environments and processes Additional Takeaways: • Examine the strengths and limitations of SAST, DAST, and IAST tools • Learn how to choose the right tools for your security program • Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes • Provide security visibility to developers, managers, and executives by enhancing your existing technology • Learn to use your tools to improve the efficiency of security tasks that are currently manual

1. Aspect Security | 9175 Guilford Road, Suite 300 | Columbia, MD 21046 | www.aspectsecurity.com
What Good is this tool?
A Guide to Choosing the Right Application Security Testing Tools
OWASP LASCON
Austin, TX
Oct 24, 2014

2. whoami
Kevin Fealey
Senior Security Engineer @ Aspect Security
Lead of Aspect’s Security Automation Division
General Goals:
Streamline Security Processes
Improve Security Visibility
Bridge gaps between tech and business people
What Good is this Tool? 2

3. Takeaways
• Differences between SAST, DAST, IAST
• Tips for choosing the right tools
• Tips for choosing the right integration points
What Good is this Tool? 3

4. Why do we need tools?
What Good is this Tool? 4
More apps to
review
Flat AppSec
budgets
A need for
scalable, efficient
solutions
Vulnerabilities
are being
introduced

5. RASP
• Runtime
Application
Self/Security
Protection
• Essentially IAST
that modifies
data in
memory to
protect your
running
application.
• Think WAF in
the runtime
environment
(.NET/JVM)
What Good is this Tool? 5
DAST (Dynamic) SAST (Static)
Scans interface of running application
• “Black box testing”
• Simulates a live attacker
• Sends HTTP requests
• Analyses HTTP responses
• “Instrumentation”
• Uses an “agent” to monitor application inner-workings
• Similar to running a debugger on a running application
• Access to HTTP requests/responses, as well as call stack
• Contrast and Quotium are the only current vendors
Scans source code/binaries/byte code
Monitors inner workings of running application
• “White box testing”
• Advanced grep for dangerous patterns
• Data/Control flow analysis
• Checks all possible code execution paths
Types of AST Tools
• “Hybrid analysis”
• Correlates SAST and DAST results
• Use “agents” to monitor application inner-workings and
report back to a black-box scanner
• Use SAST output to improve DAST coverage
• Most major vendors have an IAST solution
Various Implementations
IAST (Interactive/Intrinsic/Integrated)

6. What’s Better?
What Good is this Tool? 6

7. What’s Better?
What Good is this Tool? 7

8. Popular AST Tool Vendors
What Good is this Tool? 8

9. Popular AST Tools
What Good is this Tool? 9
Other vendors:
• Parasoft
• SonarQube
• Microsoft
• Coverity/Synopsys
Open Source:
• FindBugs
• Find Security Bugs
• OWASP ZAP
• OWASP Dependency Check
• PMD
Many, many more…

10. Before Contacting a Vendor
• Which tools are most “compatible” with your applications?
• Where do the tools fit in your SDLC?
What Good is this Tool? 10

11. Which tools are compatible?
• Is there a compatible IAST solution for you?
• How good are your test cases?
• Do you enforce common security controls?
• What is your threshold for false positives/negatives?
• Do you use Java frameworks?
What Good is this Tool? 11

12. Language Support
http://www.quotium.com/seeker/technologies/
http://www1.contrastsecurity.com/supported-technologies
What Good is this Tool? 12

13. Framework Support
What Good is this Tool? 13

14. Javascript heavy?
What Good is this Tool? 14

15. Required Security Controls
What Good is this Tool? 15
Your developers know what not to do..
Do they know what to do?

16. Test Case Coverage
What Good is this Tool? 16
Your Application
Attack Surface
Potential Attacks
IAST tools are only as good as the test cases that drive them

17. F+/- Threshold
What Good is this Tool? 17
Out of the box, most SAST tools produce THOUSANDS of false
positives on an average size application

18. Additional Considerations
• Evaluating 3rd party libraries
• Vulnerable dependencies (known CVEs)
• SaaS vs product
• Cost
• SDLC integration points
What Good is this Tool? 18

19. Sweet new pool table!
What Good is this Tool? 19
Where should we put it?

20. AST Tools in the SDLC
• The best place for a tool depends on your SDLC model
• Most tools have multiple potential integration points
• Sprinkle security throughout the SDLC
What Good is this Tool? 20

21. Waterfall Processes
What Good is this Tool? 21
Development
• IDE Plugin
• Runtime
Agent
• Command
line tools
QA
• Runtime
Agent
• Browser
plugin/proxy
Security Testing
• Desktop
Tools
• Command
line tools
• Runtime
Agent
This is where most
testing happens
today

22. Agile Processes
What Good is this Tool? 22
Development
• IDE Plugin
• Runtime
Agent
• Command
line tools
QA
• Runtime
Agent
• Browser
plugin/proxy
Security Testing
• Desktop
Tools
• Command
line tools
• Runtime
Agent
DevOps
• Any fast,
high-
confidence
test
• Manage
Deployment
from CI
Continuous
Integration
Runtime
Agent
Command
line tools
Browser
plugin/proxy
Desktop
Tools (with
CLI)
Automated
Results fed
back to
development

23. Where to Integrate
• Are you using continuous integration/continuous delivery?
• Do your developers have time to run scans?
• Do you have a QA team?
• Integrate at test, but simplify the workflow
What Good is this Tool? 23

24. Integrate with Existing Tools
What Good is this Tool? 24
Many tools you already use, like Jenkins, are extensible

25. AST Tools in the SDLC
• Regardless of where you integrate..
– Provide security feedback as early as possible
– Automate as much as possible
– The more transparent the process, the more likely it will be
accepted
What Good is this Tool? 25
$139.00 $1,390.00
$2,780.00
$4,170.00
$-
$1,000.00
$2,000.00
$3,000.00
$4,000.00
$5,000.00
Coding Testing Beta Release
Cost to Fix a Vulnerability
Depends on When it is Found

26. Process Efficiency
What Good is this Tool? 26
AST Server with Several Code Repositories
Developer for application Y
Developer for application Z
Developer for application X
Code repository for
Application X
Code repository for
Application Y
Code repository for
Application Z
Build server for Application X
Build server for Application Y
Build server for Application Z
CI Server

27. Simplify your workflows
What Good is this Tool? 27
Security Analyst
Only new findings
are triaged
Scan Server
Scan Results
Downloaded
Triaged Scan Results
Security Analyst
Subsequent Scans
Triaged
Results
Uploaded
Scan Results
Downloaded
New Vulnerabilities
Already Triaged
Initial Scan
Use of a centralized environment drastically reduces the time
required for subsequent assessments

28. General Recommendations
• If IAST is a good fit for you, use it.
• If possible, use at least 2 AST technologies.
– Encourage communication between your AST teams. Don’t create
more silos within your security group.
• Prototype/pilot a deployment with a free tool
• Sprinkle security throughout the SDLC
• Get Continuous
What Good is this Tool? 28

29. Still not sure what to do?
• Come talk to me
• You are not alone.
Kevin.Fealey@AspectSecurity.com
Questions or positive feedback?
What Good is this Tool? 29