Unscientific AppSec Pain Poll

Here’s another one of my completely unscientific polls – this time about AppSec. I find it interesting to know what others think about these issues – if you have something you’d love to poll the Code Curmudgeon’s readers about, let me know in the comments.

Today’s poll is about the pain points in your AppSec tools. It might be SAST, DAST, IAST or anything else. What about it makes your the most crazy?

AppSec Resources

For articles related to this post see:
Theoretical AppSec Vulnerabilities
Why We View AppSec Vulnerabilities as False

For more security info check out the security resources page and a few of these books can help.
Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development,

Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine,

Software Test Attacks to Break Mobile and Embedded Devices (Chapman & Hall/CRC Innovations in Software Engineering and Software Development Series)

Definitioner

CAN (Controller Area Network)

Controller Area Network aka CAN aka CAN Bus is a wiring standard for vehicles that enables communication between various components and devices without having a host computer. For example doors, brakes, transmission.

IAST

IAST is interactive application security testing. It's also been known variously as hybrid security testing, gray-box, and glass-box. This technique blends the inside-out approach of SAST with the outside-in approach of DAST to give you deep code-level visibility of a running application while it's in a real running state. This helps reduce false positives but still has the thoroughness limitations of black-box techniques in that it's only as good as the test suite being run in terms of coverage.

DAST

DAST tests an application for security vulnerabilities by monitoring and probing an application while it is actually running - thus the dynamic test. DAST starts from inputs and is a black-box or external view. This gives is a very realistic view of application behavior, but is difficult to be completely thorough. Penetration testing or pen-test is a common form of DAST.

SAST

SAST is security testing that is done on source, byte-code, or binaries but without actually executing them - thus the "static" testing. Typically this includes things like software metrics, static code analysis and even peer review. SAST provides a white-box or inside view to the application. It can both find possible vulnerabilities and weaknesses by looking for anti-patterns as well as enforcing secure software engineering standards by looking for proper patterns.

AppSec Resources

Leave a Reply Cancel reply