Software vulnerabilities are a pervasive problem, with a staggering 84% of software breaches exploiting weaknesses at the application layer. This alarming statistic underscores the critical need for robust application security testing (AST) tools. However, the sheer volume of AST tools available can be overwhelming for IT leaders, developers, and engineers seeking the right solutions. This article aims to clarify the landscape of commercial automated scanning tools, focusing on the best options available in 2018 and categorizing them to guide you in selecting the most appropriate tool for your needs.
Application security is not a simple on-off switch. Instead, it’s a layered approach where each security measure incrementally reduces risk. Application security testing is a crucial component of this approach, significantly lowering application risks, although it cannot eliminate them entirely. The goal is to mitigate the most easily addressable risks and fortify your software against potential threats.
The primary driver for adopting AST tools is the limitations of manual code reviews and traditional testing methods, which are often slow and struggle to keep pace with the constant emergence of new vulnerabilities. Furthermore, many industries face regulatory mandates requiring the use of AST tools. Crucially, malicious actors also utilize sophisticated tools, making it imperative for security professionals to employ equally advanced defenses.
Automated scanning tools offer numerous advantages, enhancing the speed, efficiency, and breadth of application testing. These tools ensure repeatable and scalable testing – once a test case is defined, it can be applied across extensive codebases with minimal additional effort. AST tools excel at identifying known vulnerabilities and weaknesses, facilitating efficient triage and classification of findings. They also play a vital role in remediation workflows, particularly in verification, and aid in identifying security trends and patterns.
A Guide to Commercial Application Security Testing Tools
Image alt text: Pyramid graphic illustrating categories of application security testing tools including SAST, DAST, SCA, Database Scanning, IAST, MAST, ASTaaS, Correlation, Test Coverage, and ASTO, showing a hierarchy from foundational to progressive methods.
This graphic illustrates the different classes of application security testing tools commercially available in 2018. While some products may span multiple categories, this pyramid provides a general classification. The tools at the base are considered foundational, and as organizations mature their security practices, they often progress to the more advanced methods higher in the pyramid.
Static Application Security Testing (SAST) – White Box Commercial Scanners
Static Application Security Testing (SAST) tools, often referred to as white-box testing, are commercial scanners that analyze the internal workings of an application. These tools require knowledge of the system, including access to source code and architecture diagrams. SAST tools examine source code at rest to pinpoint and report weaknesses that could lead to security vulnerabilities.
Commercial source-code analyzers can operate on non-compiled code to detect defects such as numerical errors, input validation flaws, race conditions, path traversal vulnerabilities, and pointer/reference issues. Binary and byte-code analyzers perform similar checks on compiled code. Some commercial tools specialize in source code, others in compiled code, and some support both. In 2018, SAST tools were a mature and essential part of commercial application security.
Dynamic Application Security Testing (DAST) – Black Box Commercial Scanners
Dynamic Application Security Testing (DAST) tools, in contrast to SAST, are considered black-box testing. These commercial scanners assess an application from the outside, without prior knowledge of its internal structure. They detect conditions indicative of security vulnerabilities in a running application. DAST tools operate on live code to identify issues in interfaces, request/response handling, scripting (like JavaScript), data injection vulnerabilities, session management, and authentication mechanisms.
Commercial DAST tools frequently employ fuzzing techniques, which involve bombarding an application with a high volume of invalid and unexpected test cases to uncover vulnerabilities. In 2018, DAST tools were a crucial part of a comprehensive commercial security strategy, especially for externally facing applications.
Origin Analysis/Software Composition Analysis (SCA) – Commercial Component Scanners
Software governance relying on manual inspections is inherently flawed. Software Composition Analysis (SCA) tools are commercial scanners designed to analyze software and identify the origin of all components and libraries within it. These tools are particularly effective at detecting known vulnerabilities in common and widely used components, especially open-source components. However, they do not identify vulnerabilities in custom-developed, in-house components.
Commercial SCA tools excel at pinpointing common and popular libraries and components, particularly open-source elements, by comparing the modules found in the code against databases of known vulnerabilities. SCA tools identify components with documented vulnerabilities and often provide recommendations for updates or patches.
Most commercial SCA tools in 2018 utilized the NIST National Vulnerability Database Common Vulnerabilities and Exposures (CVEs) as their primary source of vulnerability information. Many also leveraged commercial vulnerability databases like VulnDB, as well as other public and proprietary sources. SCA tools can analyze source code, byte code, binary code, or a combination thereof. In 2018, SCA was gaining prominence as software supply chain security became a major concern for commercial applications.
Database Security Scanning – Commercial Database Vulnerability Scanners
The SQL Slammer worm in 2003, which exploited a database vulnerability with a patch available for over a year, highlighted the importance of database security. While databases are not always considered direct application components, they are integral to most applications, and application security heavily impacts database security. Commercial database security scanning tools check for missing patches and outdated versions, weak passwords, configuration errors, Access Control List (ACL) issues, and more. Some advanced commercial tools can also analyze logs for anomalies like excessive administrative activities.
Commercial database scanners typically operate on static data at rest within a running database management system. Certain scanners can also monitor data in transit. In 2018, database security scanning was recognized as a vital layer of commercial application security, especially for data-driven applications.
Interactive Application Security Testing (IAST) and Hybrid Tools – Advanced Commercial Scanners
Hybrid approaches to application security testing had been around for some time, but Interactive Application Security Testing (IAST) emerged as a distinct category. IAST tools are advanced commercial scanners that combine static and dynamic analysis techniques. They go beyond simply identifying vulnerabilities; they can verify if known code vulnerabilities are actually exploitable in a running application.
Commercial IAST tools leverage application flow and data flow knowledge to construct sophisticated attack scenarios. They use dynamic analysis results iteratively: as a dynamic scan progresses, the tool learns about the application’s behavior in response to test cases. This learning informs the creation of subsequent test cases, leading to deeper insights. IAST tools are effective at minimizing false positives and are well-suited for Agile and DevOps environments where traditional standalone DAST and SAST tools might be too time-consuming for rapid development cycles. In 2018, IAST was gaining traction as a more efficient and accurate approach to commercial application security testing.
Mobile Application Security Testing (MAST) – Specialized Commercial Mobile Scanners
The Open Web Application Security Project (OWASP) top 10 mobile risks in 2016 included:
- Improper platform usage
- Insecure data storage
- Insecure communication
- Insecure authentication
- Insufficient cryptography
- Insecure authorization
- Client code quality
- Code tampering
- Reverse engineering
- Extraneous functionality
Mobile Application Security Testing (MAST) tools are specialized commercial scanners designed for mobile applications. They blend static, dynamic, and forensics analysis techniques. While performing similar functions to traditional SAST and DAST tools, MAST tools are adapted for mobile code and incorporate features specific to mobile security. These include checks for jailbreaking or rooting, spoofed Wi-Fi connections, certificate handling and validation, and data leakage prevention. In 2018, with the proliferation of mobile applications in the commercial space, MAST tools became increasingly important.
Application Security Testing as a Service (ASTaaS) – Commercial Cloud-Based Scanning Services
Application Security Testing as a Service (ASTaaS) provides commercial security testing on a subscription basis. ASTaaS offerings typically combine static and dynamic analysis, penetration testing, API testing, risk assessments, and more. ASTaaS is applicable to various application types, particularly web and mobile apps.
The rise of cloud applications in 2018 fueled the adoption of ASTaaS, as cloud environments facilitate easier resource allocation for testing. Global spending on public cloud computing was projected to rise significantly between 2015 and 2020, highlighting the growing importance of cloud-based security solutions like ASTaaS.
Correlation Tools – Commercial Result Aggregation Platforms
False positives are a significant challenge in application security testing. Correlation tools are commercial platforms designed to mitigate this issue by centralizing findings from various AST tools.
These tools aggregate and analyze results from different AST scanners, aiding in validation, prioritization, and remediation workflows. While some correlation tools may include code scanning capabilities, their primary function is to import and process findings from other tools. In 2018, as organizations deployed multiple AST tools, correlation tools became essential for managing and making sense of the combined results.
Test-Coverage Analyzers – Commercial Code Coverage Measurement Tools
Test-coverage analyzers are commercial tools that measure the extent of program code analyzed during testing. Results are typically presented as statement coverage (percentage of code lines tested) or branch coverage (percentage of paths tested).
For large applications, predefined acceptable coverage levels can be compared against analyzer results to expedite testing and release cycles. These tools can also identify unreachable code segments, which represent inefficiencies and potential security risks. While some SAST tools integrated coverage analysis, standalone commercial products also existed in 2018, though primarily for specialized use cases.
Application Security Testing Orchestration (ASTO) – Emerging Commercial Management Platforms
Application Security Testing Orchestration (ASTO) aims to integrate security tooling across the Software Development Lifecycle (SDLC). ASTO was a newly coined term by Gartner in 2018, representing an emerging field. However, tools performing ASTO-like functions, mainly from correlation tool vendors, were already present. The core concept of ASTO is to provide centralized, coordinated management and reporting for all AST tools within an ecosystem. While still in its early stages in 2018, ASTO addressed a growing need for streamlined management of automated security testing.
Selecting Commercial Testing Tool Types in 2018
Choosing the right commercial AST tool types involves considering various factors. A crucial first step is simply to begin using these tools. A 2013 Microsoft study revealed that a significant percentage of developers did not prioritize secure coding practices. Avoiding this trend is paramount.
Several factors guide the selection of AST tool types and specific commercial products within each category. It’s important to recognize that no single tool provides a complete security solution. The objective is risk reduction, not absolute elimination.
Prior to evaluating specific commercial AST products, determine the most suitable AST tool type for your application. For organizations starting their application security journey in 2018, focusing on the foundational tools at the base of the pyramid (SAST, DAST, SCA, Database Scanning) is generally recommended. These are mature commercial tools addressing prevalent vulnerabilities.
Image alt text: Reproduction of the pyramid graphic highlighting the foundational AST tool categories: SAST, DAST, SCA, and Database Scanning, recommended as a starting point for application security programs.
As you gain experience, you can consider incorporating second-level approaches (IAST, MAST, ASTaaS). For instance, mobile testing frameworks often require custom scripting, which benefits from experience with traditional DAST tools. Similarly, familiarity with foundational tools enhances your ability to negotiate ASTaaS contracts.
The decision to adopt tools in the top pyramid tiers (Correlation Tools, Test Coverage Analyzers, ASTO) in 2018 was often driven by management and resource considerations alongside technical factors.
If resource constraints limited you to a single commercial AST tool in 2018, consider these guidelines:
- For in-house developed applications with source code access, SAST is a strong starting point to identify coding issues and coding standard violations. SAST was the most common initial code analysis approach in 2018.
- For applications without source code access, DAST is the optimal choice for external vulnerability detection.
- For applications heavily reliant on third-party and open-source components, SCA tools are essential, regardless of source code access. Ideally, SCA should complement SAST and/or DAST, but if only one tool could be implemented in 2018, SCA was critical for applications with third-party components due to its ability to detect known vulnerabilities in these components.
Conclusion and Future Outlook (2018 Context)
Integrating commercial AST tools into the development process was projected to save time and resources by identifying issues early in the SDLC. However, initial investment in time and resources was necessary for implementation. The guidance provided aimed to assist in selecting an appropriate starting point in 2018. Post-implementation, managing and acting upon the results generated by AST tools was crucial.
Image alt text: Graphic depicting a hand adjusting knobs and buttons on a control panel, symbolizing the calibration and fine-tuning required for application security testing tools to optimize output and minimize false positives and negatives.
These commercial tools offered numerous configuration options, requiring time to calibrate them for optimal output. Incorrectly configured tools could produce problematic false positives and false negatives.
Looking forward from 2018, the subsequent article in this series was planned to delve deeper into decision-making factors for selecting application security testing tools, providing checklists for application security professionals.
Additional Resources (Relevant as of 2018)
Read the second post in this series: Decision-Making Factors for Selecting Application Security Testing Tools.
Explore the National Institute of Standards and Technology (NIST) Software Assurance Metrics And Tool Evaluation (SAMATE) Project.
Learn about the Open Web Application Security Project (OWASP).
Discover resources from the SANS Institute.
Access and download software, tools, and methods from the SEI.
Review the Department of Homeland Security (DHS) Build Security In website.
