Security is shifting left. The domain was once cut-off from engineers, with security teams claiming full ownership of security testing. Developers were only looped in when it came time to start fixing. But, with the advent of developer-centric security tools, we are beginning to overcome these divides.
If you have begun to add application security testing to your CI/CD pipeline, you likely are reaping the rewards of fixing vulnerabilities pre-merge. Advanced development shops are taking this to the next level by leveraging multiple types of automated security testing in the build pipeline.
What are they finding? Using different types of security tooling together, like SCA and DAST, is the best way to ship secure code fast.
[If you are a developer just starting automated security testing in CI/CD and aren’t sure where to start, check out our how-to guide.]
Software Composition Analysis (SCA) Tools
The most commonly used developer-centric application security tool is Software Composition Analysis (SCA). SCA is great for identifying vulnerabilities in the open source tree within your application, often with automated pull requests to update to patched versions.
These types of vulnerabilities are incredibly pervasive. Seven in every 10 applications were found to have flaws in their open source libraries (on initial scan). And this number continues to climb year over year. 2019 saw a 50% increase in the number of open source vulnerabilities found compared to 2018.
Anyone using open source should be using SCA!
But don’t stop there.
Dynamic Application Security Testing (DAST)
While you may not be familiar with the name Dynamic Application Security Testing, you have likely encountered this form of testing via penetration testing engagements. Whether run by an internal security team or an external firm, these historically have been manual tests run against the production application.
New tools, however, are becoming available that make it possible to run automated DAST tooling in CI/CD, right along SCA.
While SCA looks at your source code, developer-centric DAST examines your specific application and your underlying APIs. It allows you to find vulnerabilities your team may have introduced, like cross-site scripting or external redirects.
This is hugely important for developers trying to ship secure code because DAST looks at an application holistically. The majority of the top web application security risks as classified by OWASP are found by DAST, not SCA.
These types of issues are pervasive. 69.1% of applications have more home-grown vulnerabilities than open source vulnerabilities. The code we are writing ourselves isn’t as secure as we like to think.
As applications evolve to more modern formats, vulnerabilities don’t stop. Malicious actors have begun to exploit newer attack vectors such as API endpoints and unvalidated API payloads. Automated tooling makes scanning sophisticated services simple so you can be sure vulnerabilities are caught before they are exploitable.
Lastly, dev-centric DAST tools give developers the right information to find vulnerabilities and triage them appropriately. If a vulnerability is of high criticality, you have the power to find and fix immediately. For low risk vulnerabilities, you can mark them as something like ‘False Positive’ or ‘Risk Accepted’. Modern tools reduce noise by only grabbing your attention with new or untriaged findings.
Find, fix and continue developing.
SCA + DAST = Where the Magic Happens
To truly ensure that you are delivering secure applications, you should be using SCA and DAST together.
SCA gives you a picture of open source vulnerabilities so you have a strong foundation to develop on top of.
DAST gives you a look at what vulnerabilities are actually exposed in your specific service so you can have confidence that what you have created is secure.
By deploying the two together you are protecting yourself from the most common vulnerabilities and making it easier to fix security bugs when you do find them. Teams using multiple scan types find vulnerabilities faster.
If the scans are automated like with SCA and developer-centric DAST, you can expect a 17.5 day faster fix time. Stop asking which type of security tool you should use and start thinking about how to use them together in CI/CD.
Put the right tools in your security arsenal and you will find and fix vulnerabilities faster. Then, get back to product development.