Why Next Generation Application Security is Needed
December 15, 2021
Software is revolutionizing the way the world works. From driverless cars to cryptocurrency, software is reinventing the possibilities. With software at the heart of everything we do, we find ourselves producing code faster than ever. Current estimates show that there are over 111 billion lines of new code written per year. And our fixation on the rapid development of the latest technology has positioned security as an obstacle, which comes at a “cost”.
As we continue to rack up security debt and struggle to resolve the cybersecurity workforce shortage, it becomes clear that we are living on borrowed security time.
This is not to dwell on our software security deficits but to stress that we need to think bigger if we are to solve this critical cybersecurity problem. Manually clearing 20, 50, 100 false positives from the backlog of 10,000 bug reports – reports that only increase in multiples on a daily basis – will not move the needle. And it’s insanely expensive, with the average appsec engineer earning over $ 133,000 / year and in short supply. Shouldn’t their time be better spent than lining up false positives?
What is needed is stand-alone application security. We need an application security testing solution that can accurately identify issues at speed and scale.
Autonomous is not automation
I would particularly like to stress the urgent need for this new generation to be autonomous. It should not be confused with automation. Unlike automation, stand-alone capabilities encompass more than a task pre-programmed at machine speed.
Stand-alone application security tests are able to intelligently tailor their testing techniques to the specific needs of each application – no predefined test suites and no one-size-fits-all approach. It extracts data from past test results and leverages it by making adjustments for its next test. This allows product security teams to eliminate manual effort in the process of managing application security.
Current solutions such as Software Analysis Security Testing (SAST) are not agile. They review the code line by line. They do not have the means of validation necessary to resolve the problem of false positives. Software engineers have to embrace the practice, allowing the time necessary to study each result.
Fuzz test is a DAST (Dynamic Application Security Testing) technique that sends malformed input to targets with the aim of triggering bad behavior in running software, such as crashes, endless loops, and / or memory leaks. These abnormal behaviors are often a sign of an underlying vulnerability.
Fuzz test is a type of dynamic behavior-based analysis. Initially, the industry had DAST Web fuzzers, where the tools did not know the code itself. These got slightly more advanced with Interactive Application Security Testing (IAST), which provided a code return loop, but didn’t help you extend coverage, leaving you at risk of untested code. Untested code is risky code.
The Fuzz test is therefore the next generation, which automatically finds bugs. Fuzz testing is also the only dynamic analysis solution that helps reduce the cloud of uncertainty of this untested code, as it continually expands code coverage. The ability to extend your test suite allows you to get fixes faster and with more certainty.
And stand-alone application security testing goes beyond just identifying vulnerabilities. Typically, the biggest obstacle to getting a fix is whether it breaks existing functionality. Google reports that 40% of their bugs fall into regression failures. By testing and retesting to confirm that each vulnerability is real, developers can focus on the specific line of code that warrants further investigation, saving time and resources.
This validation is also essential for integration into CI / CD workflows because it allows developers to fork a section of code and have this section checked automatically before merging with the master.
In addition, the security testing of next-generation stand-alone applications includes a symbolic execution capable of abstracting input and therefore mapping a greater amount of code, thus increasing the coverage of its test cases, thus ensuring a greater portion running code. These are often areas of code where zero days are found, areas where conventional security testing does not probe.
Autonomous security is activated
In the past year alone, we’ve seen changes that further recognize the need for more self-sufficient application security:
- Gartner has added fuzz testing, the technology behind stand-alone application security testing, to its critical AST capabilities. Gartner’s Critical Capabilities describe the qualification criteria in its Magic Quadrants.
- The rise of the Chief Product Security Officer. Like the rise of the role of CISOs and the discipline of information security, we are seeing organizations implementing a product security discipline and giving CPSOs a seat at the executive table. Product Security Groups are responsible for the security of the products they offer, which is very different from securing business operations.
- Git repository providers are entering the application security testing space. GitHub and GitLab have both entered the application security testing market, stressing the need to allow developers to write secure code. GitLab, in particular, acquired not one but two fuzz test solutions.
The security of stand-alone applications is here, and the world is ready for it.