Tuesday, July 20, 2021

Application and Code Testing

Application Security (AppSec) Strategy. "Shift-left" and get security testing incorporated early in the software development lifecycle (SDLC) - providing the security in DevSecOps. What problems need to be addressed with application security? Software Composition Analysis (SCA), securing Infrastructure as Code (IaC), security development infrastructure (e.g. source code repositories, container repositories, build systems), ensuring the confidentiality, integrity, and availability of the application in production. 

The following is a list of tool categories aimed at testing the security as well as stability or resiliency of an application and/or its code base. I have a few more draft notes written about this in OneNote, Sticky Notes, and the SharePoint blog I had started migrating to last year (abandoning that effort), so this post is by no means completed and will be continue to be expanded as I consolidated those notes.

Software Composition Analysis (SCA). Analysis of open-source component dependencies to identify vulnerabilities. Not a line-by-line scan of code as with SAST.
  • Contrast Security
  • Cycode
  • MergeBase
  • ShiftLeft
  • Snyk.
  • Veracode.
  • WhiteSource.
Pipeline Composition Analysis (PCA). Advances SCA to identify vulnerabilities in the software delivery pipeline.
  • Cycode
Software Bill of Materials. A software bill of materials is required per the White House Executive Order on Improving the Nation's Cybersecurity, May 12, 2021.Tools should be able to output a report in one of these three reporting formats:  Software Package Data Exchange (SPDX), CycloneDX, or Software Identification (SWID) Tags (see https://fossa.com/blog/software-bill-of-materials-formats-use-cases-tools/). The SPDX specification has been published as ISO/IEC 5962:2021 and recognized as the open standard for security, license compliance and other software supply chain artifacts.  

 Interactive Application Security Testing (IAST)

Static Application Security Testing (SAST).
  • Checkmarx.
  • GitLab Ultimate 10.3. If  you are using GitLab CI/CD, you can analyze your source code for known vulnerabilities using SAST. Supported languages and frameworks include:  .NET, C/C++, Elixir (Phoenix), Go, Groovy, Java, JavaScript, Node.js, PHP, Python, Ruby on Rails, Scala, and Typescript. The output is a SAST report artifact that can be included in a GitLab Security Dashboard.
  • Micro Focus Fortify Static Code Analyzer.
  • Parasoft. https://blog.executivebiz.com/2021/10/parasofts-software-security-testing-tool-gets-ok-for-use-on-dod-devt-programs/. 
  • ShiftLeft
  • Synk. Integrates with 30 developer tools including six integrated development environments (IDE) (Jetbrains, Visual Studio, Eclipse, ...). Partner with Rapid 7 for DAST. Call Friday 7/21/2021.
  • WhiteSource. SAST solution announced 2/16/2022 based on technologies acquired from Xanitizer and DefenseCode. Able to identify over 70 types of security flaws including OWASP Top 10 and SANS Top 25.
Dynamic Application Security Testing (DAST).
  • Checkmarx.
  • GitLab Ultimate 10.4. If you are using GitLab CI/CD, you can analyze your running web application(s) for known vulnerabilities using DAST. DAST used the open source tool OWASP ZAProxy to perform an analysis of your running web application. DAST can be configured to do a passive or active scan (active scans will attempt to attack your application and thus provide a more extensive security report). The output is a DAST report artifact that can be included in a GitLab Security Dashboard.
  • Micro Focus Fortify WebInspect.

    Container Scanning

    • Anjuna.
    • Aqua Security.
    • Bridgecrew.
    • Grype. Anchore’s open source Grype vulnerability scanner tool for containers is generally available for DevOps teams that are running the latest version of the GitLab CI/CD platform. Grype leverages Syft libraries that employ deep inspection algorithms to create an accurate software bill of materials (SBOM) for an application and then runs a scan to identify vulnerabilities. That data is then surfaced within a GitLab workflow to advance adoption of DevSecOps best practices.
    • Kubscape. ARMO’s Kubescape tool, based on guidance from a 52-page joint report co-authored by the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), can test whether Kubernetes clusters have been deployed securely. The Kubescape tool is based on open source software the company created to secure Kubernetes environments using the Open Policy Agent (OPA) framework being advanced under the auspices of the Cloud Native Computing Foundation (CNCF)
    • Lacework Labs.
    • NeuVector.
    • Rapid 7.
    • RapidFort.
    • Snyk. Build time.
    • sysdig.
    • Tenable.io CS Scanner.
    • Trivy.
    • Twistlock (now owned by Palo Alto). Run time.

    Infrastructure as Code (IaC). Analysis of deployment templates, e.g. JSON or YAML files used by AWS CloudFormation, Azure, GCP, Terraform, etc.)

    Observability

    • Metrics
      • Amazon CloudWatch. Amazon CloudWatch Events and EventBridge for alerting.
    • Events
    • Logs
      • Amazon CloudWatch. Amazon CloudWatch Events and EventBridge for alerting.
      • Splunk. Talal Balouch from SecuriGence is an expert.
    • Traces
      • Amazon X-Ray. Works with Amazon Elastic Compute Cloud (EC2), Amazon EC2 Container Service (Amazon ECS), AWS Lambda, AWS Elastic Beanstalk.
    • Analysis of logs, metrics, traces
    Chaos Engineering. An approach to application fault tolerance that intentionally provokes errors in live deployments. It incorporates an element of randomness to mimic the unpredictability of real-world outages.

    Failure Mode and Effects Analysis (FMEA). https://asq.org/quality-resources/fmea. 

    Vendors/Products:
    • Acunetix
    • Akeero
    • ARMO.
    • Azure Monitor
    • Aqua Security
    • Bridgecrew.
    • BluBracket.
    • Checkmarx
    • Chronosphere.io
    • Contrast Security
    • Cycode
    • Datadog.
    • Data Theorem
    • env0
    • Contrast Security
    • Fugue. Provide free masterclasses on cloud security.
    • GitHub
    • GitLab
    • HCL Software
    • Instana
    • Invincti
    • Jfrog
    • Lacework Labs
    • Lightstep.
    • Logz.io
    • MergeBase
    • Micro Focus
    • Moogsoft. 
    • Neuvector
    • New Relic.
    • NTT Application Security (acquired WhiteHat Security)
    • Onapsis
    • Parasoft.
    • Rapid 7.
    • RapidFort
    • ShiftLeft
    • SonarQube
    • Sonatype
    • Snyk.
    • StackState.
    • Synopsys Software Integrity Group
    • Sysdig
    • Veracode. Forrester Research recently released The Forrester Wave™: Software Composition Analysis, Q3 2021 report with Veracode ranked as a strong performer for software composition analysis (SCA). Evaluating 10 SCA vendors against 37 criteria, the report is helpful for security professionals who are selecting an SCA vendor to best suit their organization’s needs. 2021 Gartner Peer Insights Customers’ Choice for AST.
    • Traceable.AI. API security
    • Trilio. Data Protection for Kubernetes. See GigaOm Radar for Kubernetes Data Protection Report.
    • WhiteSource. 
    Other tools to lookup:  Datadog, PagerDuty, Gremlin

    Security criteria:  CIS Security Benchmarks, Cyber.mil STIGs, SRGs, UCF.

    Beyond the application:  DDoS protection, Web Application Firewall (WAF), packet analysis (e.g. Snort, VPC Flow Logs), Incident Response Plan (IRP), Business Continuity Plan (BCP), Disaster Recovery Plan (DRP), Privileged Account Management (PAM), Zero Trust Network Architecture (ZTNA), ...