Evolution of Application Security Testing tools 

Published: September 5, 2017 4 min. read
Svitla Team
By Svitla Team
Quality Assurance Cybersecurity
352-tools.jpg

 

Tools enabling traditional web application vulnerability detection methodologies such as static analysis, and dynamic analysis have been available for more than 15 years and reached the limits of their technological potential to support the speed of modern Agile software development.

Traditional vulnerability scanning tools require significant configuration and tuning, and the time required for these efforts means that the tools cannot usefully keep up with the release cycles made possible by DevOps and automated integration and delivery environments. Additionally, legacy application security testing tools do not provide contextual analysis for their test results, leading to false positives that undermine the accuracy, reliability and effectiveness of security testing overall.

The rapidity of software development, integration and delivery demand a new approach, one where security instrumentation is integrated into an application’s code base. Integrated instrumentation can take advantage of internally generated contextual information providing for more accurate examination and assessment.

Instrumentation is possible with new technologies such as Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) that enable a continuous, real-time approach to application security. Both IAST and RASP can be delivered as either integrable modules or on a subscription basis following a Software-as-a-Service (SaaS) model. Vendors offering IAST and RASP tools include IBM, HPE, Acunetix, and Contrast Security.

In an IAST deployment, a software agent is used to add instrumentation to applications. A second component then generates malicious traffic as per predefined test cases, attempting to force failures and catch coding flaws that lead to exploitable vulnerabilities. IAST allows teams to scan more code with significantly fewer false positives, thus increasing the speed at which high quality and secure software is delivered. There is a cost, however. Current IAST implementations are complex and their use requires specialized training to parse test results and determine the root causes of identified issues.

IAST identifies security vulnerabilities at a testing stage while RASP addresses security attacks in deployed products.

RASP is implemented as instrumentation to the application runtime engine, either the application VM (e.g. Java Virtual Machine (JVM) and .NET Common Language Runtime (CLR) or the application servers (e.g. Tomcat, JBoss and Microsoft Internet Information Services (IIS), adding a protection layer against application- level attacks.

Cybersecurity Managed Services Require the Most Reliable Partners Explore how Svitla Systems can safeguard your business with expert cybersecurity management and innovative solutions. Contact Us

RASP products are integrated with an application's underlying source code libraries, and provide full insight into the application’s logic, data flows, and configuration during execution of application ensuring continual contextual security analysis. RASP intercepts all calls at runtime from the client application to a system and validates requests directly inside the application checking it against the application's runtime context.

The way RASP works is conceptually comparable to Attribute Based Access Control (ABAC), a next generation identity and access management technology where RASP, like ABAC, embeds data request validation into the application and determines at runtime if execution is permitted.

RASP enables the application to continuously monitor its own behavior, and block only those activities that are incongruous with expected application behavior, and that can be addressed immediately without human intervention. For example, RASP will block the execution of queries to a database server that appear to be a SQL injection attack.

Since RASP is embedded into the application and is highly adapted to it, there is no need to reconfigure the RASP as the application undergoes changes - e.g. migrating to the cloud, implementing microservices architecture with containers, adding REST or SOAP web services, or scaling up or down.

As RASP resides in the application server, it uses CPUs and memory (RAM), staying inside the application throughout its all lifecycle. This means that even if a security incident occurred, attackers will not be able to penetrate an application to get to the data in or behind the application.

Having the latest security testing tools will not make an application as secure as building security into the application across the SDLC. Establishing a secure development lifecycle is critical. Web application security is continually evolving, and an organization’s security policies and guidelines must keep pace.

Article originally prepared for www.uscybersecurity.net

Written by
Helen Korobko
352-tools.jpg

FAQ

How have application security testing tools evolved over time?

Application security testing tools have evolved from the legacy, slow, complicated, and false-positive-prone static and dynamic scanners to modern context-aware solutions. That is what today’s approaches, like Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP), provide: integration directly into applications to leverage real-time contextual data for detection accuracy and protection strength. The old tools could not keep up with the speed of Agile and DevOps; however, IAST and RASP enable continuous delivery by integrating security within the actual software lifecycle and runtime itself. This change makes vulnerability faster, more dependable, and proactive defenses.

What are the main types of application security testing tools available today?

Application security testing today largely banks on two modernized methodologies: Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP). Tools inject agents into applications at test time by generating malicious traffic, having vulnerability detection capability with a high degree of accuracy, and very low false positives. RASP implements protection right inside the runtime environment of the application. It monitors behavior continuously and blocks attacks – like SQL injection in real-time – even as the application changes. Manual scans were part of a disjointed and much less effective approach, replaced by current tools that offer continuous, contextual security analysis.

How do modern security testing tools integrate with DevOps and CI/CD pipelines?

Modern security testing tools play a key role in DevOps and CI/CD implementations by embedding security instrumentation into the application itself. It does not slow down the release cycles because it allows for continuous monitoring in real time and testing as well. Contextual data from inside the application lowers false positives and gives information on how to fix the vulnerability so that Secure Software can be delivered at the same speed as a new feature.

What are the key challenges and future trends in application security testing?

An important challenge in application security testing is managing complexity with modern tools that often demand expertise to interpret results and trace root causes. Another challenge is keeping security at par with the speed of Agile and cloud native development. Future trends indicate an even deeper mergence of security into the software development lifecycle through tools that work continuously, contextually protecting software while automatically adjusting for changes such as microservices, containers, and cloud migrations. This shift amounts to proactive, real-time defense rather than after-the-fact scanning.

How is AI influencing web security today?

AI is increasingly used in web security to detect and prevent threats by analyzing patterns, spotting anomalies, and responding to attacks in real time. At the same time, cybercriminals are also leveraging AI to create more sophisticated phishing schemes, malware, and automated attacks. This dual role makes AI both a powerful defense tool and a potential weapon, highlighting the need for continuous innovation and vigilance in cybersecurity.