An insight into DAST, SAST and Iast -- comparison of web application security testing technologies
Friday, April 19, 2019
We are going to be in an era when software defines everything. This is "the best era and the worst era".
No matter communication, payment, entertainment, catering, travel, medical treatment, or rocket, missile, satellite in the field of national defense are inseparable from software technology. However, while software technology promotes social development, it may also harm people's personal privacy information, property security and even life security because of loopholes. There are numerous cases of this kind.
In 2010, rockyou.com, a large social networking site, was exposed to a SQL injection vulnerability, which was used by hackers to obtain 32 million user records (including e-mail, names and passwords in clear text).
In 2015, talktalk, a UK phone and broadband provider, was attacked by a 15-year-old hacker using a SQL injection vulnerability, and the name, address, date of birth, and credit card / bank details of four million talktalk customers were stolen by hackers.
In 2018, a man in Taiwan took advantage of the loophole in Citibank's credit card business system and spent more than 63 million yuan (NT $13.45 million) on credit card. Citibank has claimed compensation from this customer through judicial channels.
With the development and application of software technology accompanied by a huge security crisis, it is an urgent task for software development practitioners and security practitioners to solve the problem of software vulnerabilities.
In order to find software vulnerabilities and defects, and ensure the security of web applications before and after delivery, we need to use web application security testing technology to identify the weak points and vulnerabilities in the architecture of web applications, and must catch up with network hackers to find and exploit them.
After years of development, web application security testing technology is divided into three categories.
DAST: dynamic application security testing technology analyzes the dynamic running state of an application during the testing or running phase. It simulates the hacker behavior to attack the application dynamically, analyzes the response of the application, and determines whether the web application is vulnerable to attack.
SAST: Static Application Security Testing technology usually analyzes the syntax, structure, process and interface of the source code or binary file of the application program in the coding phase to find the security vulnerabilities in the program code.
Iast: interactive application security test Testing) is a new application security testing scheme put forward by Gartner company in 2012. It collects and monitors the function execution and data transmission of web application at runtime through agent, VPN or agent deployment on the server, and interacts with the scanner in real time. It can identify security defects and vulnerabilities efficiently and accurately. At the same time, it can accurately determine the code file where the vulnerabilities are , lines, functions, and parameters. Iast is a kind of interrelated run-time security detection technology which combines DAST and SAST.
This paper mainly analyzes the implementation principle, advantages and disadvantages comparison and application scenarios of these three technologies.
DAST is a black box testing technology, which is the most widely used and simplest web application security testing method at present. The common tools used by security engineers, such as awvs, appscan, are products based on DAST principle.
1. Implementation principle
Figure 1: DAST principle
1) Through the crawler to find the whole web application structure, the crawler will find how many directories, how many pages, and what parameters there are in the web program under test;
3) Through the analysis of response, we can verify whether there is a security vulnerability.
2. Analysis of advantages and disadvantages of DAST
DAST is a test method that mainly tests the function points of web applications. Testers do not need to have programming ability, understand the internal logic structure of applications, do not distinguish the implementation language of test objects, use attack feature library to do vulnerability discovery and verification, and can find most of the high-risk problems. Therefore, DAST is a very common security test in the industry Scheme. In addition to scanning the application itself, DAST can also scan for vulnerabilities in third-party open source components and third-party frameworks.
It can also be analyzed from the working principle that DAST needs to crawl the structure of the application as much as possible on the one hand, and send vulnerability attack package to the application under test on the other hand. Now many applications contain Ajax pages, CSRF token pages, captcha pages, API orphan chains, post form requests or anti replay attack policies. These pages can't be found by web crawlers, so DAST technology can't test the security of these pages. DAST technology does not cover all the business branches. Even if you climb to a form, you need to submit the content, and the server makes a judgment on the content. If it's a mobile number, you need to enter the business 1, not a mobile number. If it's a mobile number, you need to enter the business 2. The crawler can't know that you need to fill in the mobile number here, so the business branch 1 will never be detected.
In addition, DAST must send vulnerability attack package for security test, which requires security experts to update vulnerability scanning plug-ins constantly, and this test mode will have a certain impact on business test, and the dirty data of security test will pollute the data of business test.
After DAST finds the vulnerability, it will locate the URL of the vulnerability, unable to locate the specific number of lines of code and the cause of the vulnerability. It takes a long time to locate and analyze the vulnerability, which makes DAST not suitable for use in Devops development environment.
Figure 2: advantages and disadvantages of DAST
More than 50% of security vulnerabilities are caused by wrong coding. Developers generally lack security development awareness and skills, and pay more attention to the realization of business functions. In order to control the vulnerability from the source, we need to develop a code detection mechanism. SAST is a test scheme to detect the security vulnerability in the source code during the development phase.
1. Implementation principle
Figure 3: SAST principle
1) First, the front-end language code (such as Java, C / C + + source code) is transformed into an intermediate code by the compiler or interpreter of the calling language, and the calling relationship, execution environment and context between the source codes are analyzed clearly.
2) Semantic analysis: analyze unsafe functions and methods in programs.
3) Data flow analysis: track, record, and analyze security issues arising from the data transfer process in a program.
4) Control flow analysis: analyze the safety problems of executing operation instructions under the specific time and state of the program.
5) Configuration analysis: analyze sensitive information in the project configuration file and security issues with missing configuration.
6) Structure analysis: analyze the context of the program and the security issues in the structure.
7) Combined with the results of 2) - 6), the vulnerability features in all rule bases are matched, and once the vulnerability is found, it will be picked up.
8) Finally, a vulnerability detection report containing detailed vulnerability information is formed, including the specific number of lines of code and suggestions for vulnerability repair.
2. Analysis of advantages and disadvantages of SAST
SAST needs to understand the code, dependency and configuration file of the program semantically. The advantage is that the code has high visibility and can detect more abundant problems, including vulnerabilities and code specifications. Test objects are more abundant than DAST. In addition to web applications, they can also detect app vulnerabilities without user interface. Through ide plug-ins and integrated development environment (such as eclipse and IntelliJ idea), code vulnerabilities can be detected in real time. Vulnerability detection is more timely and repair costs are lower.
The traditional scan time of SAST is very slow. If we use SAST to scan the code warehouse, it will take hours or even days to complete, which is not effective in the increasingly automated continuous integration and continuous delivery (CI / CD) environment.
Another point is the false positives of SAST. The false positives rate of commercial SAST tools in the industry is generally more than 30%. False positives will reduce the utility of the tools, and it may take more time to clear the false positives rather than fix the loopholes.
SAST only detects the source code, not the entire application, which forces enterprises to purchase a separate software composition analysis tool (SCA), even SCA only identifies the open vulnerabilities; unknown vulnerabilities in open source, third-party API or framework are beyond the scope of SAST and SCA.
Figure 4: advantages and disadvantages of SAST
Iast interactive application security testing technology is a hot new application security testing technology in recent years. It has been listed as one of the top 10 technologies in the field of network security by Gartner consulting company. Iast combines the advantages of DAST and SAST, with high vulnerability detection rate and low false alarm rate, and can locate API interface and code fragment.
1. Implementation principle
There are many implementation modes of Iast, such as proxy mode, VPN, traffic mirror mode and stake insertion mode. This paper introduces the two most representative modes, proxy mode and stake insertion mode.
In the proxy mode, set the proxy in the browser on the PC side or the app on the mobile side, get the traffic of the function test through the proxy, and use the traffic of the function test to simulate a variety of vulnerability detection methods to test the security of the tested server.
Pile inserting mode, which is to insert a probe at a specific location to ensure the original logic of the target program is complete. When the application program is running, the probe obtains the request, code data flow, code control flow, etc., and judges the vulnerability based on the comprehensive analysis of the request, code, data flow and control flow. There are two modes of pile inserting, active and passive.
1) Implementation principle of agent mode
Figure 5: principle of agent mode
a. The function tester sets the agent in the browser or app and fills in the Iast device address;
b. The function tester starts the function test, and the test flow passes the Iast equipment, which copies the flow and transforms it into the flow of safety test;
c. Iast equipment uses the traffic after transformation to launch security test for the tested business, and judges the vulnerability information according to the returned data package.
It is unacceptable for some users to deploy agents in servers and different containers in different languages. The agent mode does not need to deploy agents in the server, but testers need to configure agents. The security test will produce some dirty data. The details of the vulnerability can not be located to the code snippet, which is suitable for users who want to use Iast technology and do not accept agent deployment in the server.
2) Principle of active pile insertion
Figure 6: principle of active pile insertion
a. Install the Iast instrumentation agent in the tested server;
b. DAST scanner initiates scanning test;
c. The Iast instrumentation agent tracks the response of the application under test during scanning additional tests, coverage and context, and sends relevant information to the management server, which displays the security test results.
Active instrumentation mode needs to deploy the instrumentation agent in the application under test, and external scanner is needed to trigger the agent. One component generates malicious attack traffic, and the other monitors the response of the application in the tested application, so as to locate vulnerabilities and reduce false positives.
Active pile inserting mode is more like an improved version of DAST technology. At present, the latest awvs and appscan have adopted active pile inserting mode. Awvs integrates the acusensor module to enhance periodic dynamic scanning by deploying sensors in the source code. Acusensor can check the source code when the web application is executing during awvs scanning, grab the application at the back end, provide 100% crawling coverage, and find and test hidden input not found during black box scanning. Appscan integrates the "glass box" service module, which enables appscan to support web 2.0, JavaScript and Ajax framework.
3) The principle of Passive pile insertion
Figure 7: passive pile insertion principle
a. Install the instrumentation agent in the tested server;
b. The instrumentation agent obtains the request, code data flow and code control flow when the application is running;
c. The stake insertion agent sends the acquired information to the management server, which displays the security test results.
Passive instrumentation monitors the application and analyzes the code when the program is running. It does not attack the web application actively, but analyzes the detection code purely passively. This is actually a huge advantage, because it does not affect other test activities running at the same time, and only needs business test (manual or automatic) to trigger security test, and can detect vulnerabilities in real time when test traffic comes.
Agent is the key of pile inserting mode. Agent needs to be developed according to different languages, but its functions are basically the same
- Obtain request data and return data;
- Parameter passing in code execution;
- Database query (such as ODBC);
- Directory queries (such as LDAP), file system permissions;
- Monitor specific values in memory to identify contaminated inputs;
- Use of third party libraries;
- Calls to external applications and services;
- Execution of specific code, etc.
2. Analysis of advantages and disadvantages of Iast
The advantages and disadvantages of Iast agent model have been mentioned above, and will not be discussed here.
The technology of Iast is based on the comprehensive analysis of request, code, data flow and control flow to judge the vulnerability, which has high accuracy and low false alarm rate. Because Iast mode can get more application information, the security vulnerabilities found can not only locate to the code line, but also get complete request and response information, complete data flow and stack information, which is convenient for locating, repairing and verifying security vulnerabilities. Support testing ajax page, CSRF token page, verification code page, API orphan chain, post form request and other environments.
Iast stake insertion mode can complete the security test in real time while completing the application function test, and it will not be affected by the software complexity. It is suitable for software products with various complexity. It can not only detect the security weakness of the application itself, but also detect the version information and the public vulnerability of the third-party software that the application depends on. The whole process does not need the intervention of security experts, no additional security testing time investment, and will not have any impact on the existing development process, meeting the requirements of rapid iteration and delivery of software products under the agile development and Devops mode.
The core technology of Iast is the probe, which needs to be developed according to different languages. It can only be executed in languages with virtual runtime environment, such as Java, C, Python and nodejs. It does not support languages such as C, C + +, and golang. Secondly, because of the integration of agent and real web server, the stability is very important. Every update needs to restart web server, and the deployment cost is large. Business logic vulnerability is also a problem that Iast cannot solve.
Figure 8: advantages and disadvantages of Iast pile insertion mode
The above analyzes the specific implementation principles and advantages and disadvantages of DAST, SAST and Iast. There is no difference between the advantages and disadvantages of the three technologies. Different technologies can solve problems in different scenarios, and safety engineers need to be able to select the corresponding technologies to solve the corresponding problems according to local conditions.
Figure 9: comparison of DAST, SAST and Iast
DAST technology is more suitable for monitoring online operation environment, SAST technology is suitable for code detection in R & D stage and Iast technology is suitable for QA stage.
The author's security manufacturer has achieved the innovative landing of the above three application security testing technologies.
In the software development stage, the source code security audit of dialogue with programmers is mainly based on the SAST technology. The trouble of SAST tools to users mainly comes from false positives. Through multiple means such as data flow call analysis, variable association analysis, machine learning, etc., the false positives rate is greatly reduced, the trouble of safety testing work of tools is reduced, the user experience is improved, and the use cost of tools is reduced.
In the software testing stage, based on the Iast technology, it supports seven traffic collection modes, including agent, VPN, traffic Messenger, traffic image, crawler, import log, passive stake insertion, which truly combines the advantages of DAST, SAST, and Iast. The vulnerability detection rate is very high, including the logic vulnerabilities that cannot be detected by the standard Iast technology, such as horizontal and vertical override, and the false alarm rate is almost 0; The vulnerability details directly locate the request, data stream and code fragment, which makes it easier to fix the vulnerability; the passive stake insertion technology is adopted, which does not need to replay the request, does not form dirty data, and can cover any scenarios such as encryption, anti replay, signature, etc.; the vulnerability is detected in near real time, and the vulnerability detection is carried out in real time with the application running.
In the online operation stage, DAST technology is used to build asset risk monitoring system, which is used to monitor online business environment in a large number of enterprise customers. From the perspective of the attacker, we can detect the assets of the enterprise, comprehensively discover the asset exposure and application vulnerabilities of the enterprise, and ensure the security of the online operation environment. Moreover, the deployment mode closely follows the business use mode, supporting the deployment and use in the Internet environment, enterprise IDC, private cloud, public cloud, hybrid cloud and other scenarios.
Related reading
Gartner Magic Quadrant: Top 10 application security testing services
An innovative sensitive data security technology: interactive application security test (IAST)