Application Security

Dynamic / Static Application security testing

Demand for applications to serve the need of growing business is increasing day by day. Not only are the applications required inside an organization on local portals may be vulnerable to internal attacks, but also to cater wide segments of customer available on the internet. With increased e-commerce and online banking, financial transaction, portfolios, and other services, the application and software developers are under the obligation to meet the deadline. While the SDLC(software development life cycle) does ensure a good application development, more often than not its security aspect is overlooked mainly because either security is a different business altogether or securing the code is a tedious and difficult job and often understated with delivery schedule.

With this increase, the applications are also being found vulnerable at code level. Such vulnerabilities are often the needs/wants of advanced cybercriminals and other attackers. These applications vulnerabilities create opportunity for attackers to exploit and cause harm to enterprise business. It has origin terms like zero-day vulnerability and cybercriminals’ intention could be anywhere from information stealing to sabotaging the internal network and applications or to gain an upper hand against the rivals.

It is become increasingly important to protect the applications for business security, continuity and delivery. Customer must feel that their information stays protected with the enterprise they deal with and that applications high-availability and integrity is not compromised.

With manifold increase in the application based threats and use of it as a vector to further penetrate network defense system to cause information leak, damage to applications and other services. Nowadays, application vulnerabilities pose significant threats to enterprises, exposing them to costly and increasing cybercrime. In fact, the Ponemon Institute‘s Second Annual Cost of Cyber Crime Study, released in August, revealed that the median annualized cost of cybercrime incurred by a benchmark sample of organizations was $5.9 million per year, with a range of $1.5 million to $36.5 million each year per organization.

With the advent of new applications every alternate day, the opportunity for cyber attackers and other web miscreants have increased significantly giving a platform to intrude and attack, denial-of-service or DDoS, cross site scripting and forgery, SQL injection based intrusion, AJAX and PHP vulnerabilities and many more. This has increased challenges for enterprise and government to stay abreast to the attackers in security for all applications hosted regardless of platform.

There are limited solutions in the market which actually take cognizance of application source code vulnerability and thereby offering security without actual modification of the codes, endowing enough time to the software developers and programmers to either rectify the vulnerability or still stay protected with a patch against the spotted vulnerability exploit within the organization perimeter.

This is also important for enterprise looking to stay PCI-DSS compliant as some pre-requisite of it talks about source code analyzer and a dynamic web-application-firewall.

  • A solution which is elastic and scalable application security testing capability, enabling clients to more frequently test applications, delivering faster results.
  • Integrated static and dynamic application security testing in real time, allowing clients to rapidly locate and repair more vulnerability in applications.
  • Ability to quickly scale application testing projects on Demand, a security-as-a-service solution.
  • Enterprises need to secure a wide range of applications from many sources across multiple platforms and environments, and no amount of perimeter security or outside auditing can protect applications from advanced application-layer vulnerabilities
  • Security testing enables users to identify vulnerabilities throughout the application life cycle – whether applications are developed internally or externally – with three of the most effective software security analysis technologies in use today.
  • Acunetix
  • HP Fortify

Acunetix Web Vulnerability Scanner automatically locates security flaws in your application

Acunetix Web Vulnerability Scanner is an in-depth automated web application security testing tool that audits your web applications using Dynamic Application Security Testing (DAST) and Interactive Application Security Testing (IAST) techniques.

  • IAST with Acunetix AcuSensor Technology for more precise scanning with low false positives, by combining black box scanning techniques with feedback from its sensors placed inside the source code.
  • The sophisticated Acunetix scanning engine guarantees the highest rate of vulnerability detection, complete with CVE, CWE and CVSS classification where applicable.
  • Boosted by Acunetix DeepScan Technology, the state-of-the-art CSA (Client Script Analyzer) Engine in Acunetix allows you to comprehensively crawl and scan the latest HTML5 and dynamic JavaScript rich web pages.
  • With the Acunetix AcuMonitor Service, Acunetix also detects complex Blind XSS vulnerabilities among others;
  • Acunetix includes advanced penetration testing tools that are fully integrated with the Web Vulnerability Scanner and help penetration testers further verify detected vulnerabilities;
  • Integration and Extensibility Features: Acunetix has APIs, CLI and XML based solutions for integration with Web Application Firewalls and Vulnerability Management Systems.
  • Acunetix Web Vulnerability Scanner includes extensive reports that help manage vulnerability escalation and remediation, task prioritization, internal reporting requirements as well as adherence to regulatory standards or best practice guidelines.

Compliance and Classification Reports: PCI DSS; OWASP Top 10; ISO 27001; NIST Special Publication 800-53 (for FISMA); HIPAA; DISA-STIG Application Security and Development Guideline Compliance Report; Sarbanes-Oxley; Mitre CWE/SANS Top 25 Most Dangerous Software Errors; WASC Threat Classification.

Internal Management Reports: Affected Items; Developer; Executive; Scan Comparison; Vulnerability Group Trending; Detailed Network Scan Reports (OVS).

To know more about Acunetix CLICK HERE

The HP Fortify Software Security Center suite provides two key capabilities for managing a comprehensive Software Security Assurance program

  • Security testing enables users to identify vulnerabilities throughout the application life cycle – whether applications are developed internally or externally – with three of the most effective software security analysis technologies in use today
  • Static Application Security Testing (SAST) with HP Fortify Static Code Analyzer (SCA);
  • Dynamic Application Security Testing (DAST) with HP WebInspect; and
  • Real-time integration of static and dynamic application security testing techniques known as real-time hybrid analysis.

Secure development life cycle automates management, tracking, remediation and governance of enterprise software risk. This enables customers to fix, track and report on vulnerabilities, as well as proactively define process, policy and control of their Software Security Assurance programs Read more.

By removing security vulnerabilities in applications before they are deployed, organizations can reduce their risk of a security breach and apply the savings to growth or innovation. HP Fortify Software Security Center enables organizations to build or expand their Software Security Assurance program in the way that best suits their unique needs and budgets.

Fears and Uncertainties

In “untroubled and unaware” customers, most of the objections encountered will reflect a lack of understanding of the current evolving threat landscape and effectiveness of existing counter security measures.

Firewall and anti-malware warrants on application-level vulnerabilities but doesn’t have pace-match with vulnerabilities and exploit for wide range of applications. This is exacerbated with zero days and advance malwares originated through these loopholes.

WAF works as passive defense system and doesn’t offer proactive software-security measures and it is important to stay ahead in software based vulnerabilities, which would have been missed at testing and deployment, also a key-component to compliance.

HP WebInspect detects vulnerabilities for any software and application, its input facilitates development of a Digital Vaccine patch, which further, may be used on HP Tipping Point with DV labs services to enact the prevention against possible exploits toward the software source and infrastructure. Since it doesn’t modify the source code of software or application, when integrated with tipping-point IPS the patch extends protection at network layer(working as WAF & complying PCI DSS 6.6), thereby protecting inside assets/applications from threats originating from outside world.

To know more about HP Fortify CLICK HERE

Our Technology Partners