Chapter 9 - 04 - Application Security Testing Techniques and Tools - 01_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Application Security Exam 212-82 Module Understand Secure Application Design and Arxchitecture o i v Understand Software Security Standards, Models, and Frameworks 9 Flow RT FLCETT T Understand Secure Application, Development, Deployment, and Automation 9 \ TIE ( Application Security Testing Techniques and Tools o Copyright © by EC: Al Rights Reserved. Reproduction is Strictly Prohibited Application Security Testing Techniques and Tools The primary objective of application security testing is to detect flaws or vulnerabilities associated with source code. Application security testing techniques and tools assist developers in detecting all the potential security weaknesses and in making changes to the code to fix the weaknesses. This section discusses various application security testing techniques and tools. Module 09 Page 1188 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Static Application Security Testing (SAST) SAST, also known as secure code review, is one of It should be performed toward the end of the source code development when the software security assurance approach to identify security-related weaknesses in the code It involves detailed systematic inspection of source code to detect vulnerabilities and design application code is stable or nearly completed O < @ o flaws Security professionals use tools such as Coverity Static Application Security Testing, Appknox, AttackFlow, etc. to perform SAST Static Application Security Testing (SAST) SAST, also known as secure code review, is one of the software security assurance approach to identify security-related weaknesses in the code. It involves detailed systematic inspection of source code to detect vulnerabilities and design flaws. It should be performed toward the end of the source code development when application code is stable or nearly completed. It should always be performed in combination with human effort (Manual) and technology support (Automated). SAST aims to detect application security vulnerabilities and their root causes when code is not running. SAST tools assist developers in testing the source code to discover and report design flaws associated with the application, which can open doors for various attacks. It also ensures that the source code is compliant with defined rules, standards, and professionals use tools such as Coverity Static Application Security AttackFlow, bugScout, and PT Application Inspector, to perform SAST. Module 09 Page 1189 guidelines. Testing, Security Appknox, Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 | Types of SAST - Automated Source Code Analysis » ~ » Itis also known as Static Code Analysis (scAa). It uses certain source code analysis tool to scan the code and report potential flaws Manual Source Code Review » Itinvolves manually inspecting the source code line by line to detect any defects and security related flaws Types of SAST = Automated source code analysis It is also known as Static Code Analysis (SCA). It uses certain source code analysis tool to scan the code and report potential flaws. = Manual source code review It involves manually inspecting the source code line by line to detect any defects and security related flaws. Module 09 Page 1190 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Dynamic Application Security Testing (DAST) DAST is a security testing technique which involves simulating attacks against the application and analyzes how the application behaves The application is tested dynamically from the outside when application is running DAST is generally performed by the penetration testers or security practitioners on a working system in pre-production, a test environment, or even in production Security professionals use tools such as Netsparker, Acunetix Vulnerability Scanner, HCL AppScan, etc. to perform DAST These scanners believe in fuzzing the application inputs with attack payloads in order to detect security weaknesses Dynamic Application Security Testing (DAST) DAST is a security testing technique which involves simulating attacks against the application and analyzes how the application behaves. The application is tested dynamically from the outside when application is running. DAST is generally performed by the penetration testers or security practitioners on a working system in pre-production, a test environment, or even in production. These individuals typically uses automated web application vulnerability scanners to conduct DAST. These scanners believe in fuzzing the application inputs with attack payloads in order to detect security weaknesses. DAST tools execute on running code to identify issues related to interfaces, requests/responses, sessions, scripts, authentication processes, code injections, etc. Security professionals use tools such as Netsparker, Acunetix Vulnerability Scanner, HCL AppScan, Micro Focus Fortify on Demand, and Appknox, to perform DAST. Module 09 Page 1191 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Types of DAST Automated Application Vulnerability Scanning 0O Manual Application Security Testing Security tester uses classic application security scanners to scan the web application for vulnerabilities O Security tester uses proxy-based security testing tools to craft and send request manually and analyze the responses from the application Types of DAST = Automated Application Vulnerability Scanning Security tester uses classic application security scanners to scan the web application for vulnerabilities. = Manual Application Security Testing Security tester uses proxy-based security testing tools to craft and send request manually and analyze the responses from the application. Module 09 Page 1192 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 SAST vs DAST S By, m ~Arbd 44 L p‘f()hfi White box security testing Black box security testing Requires a source code Requires a running application Finds vulnerability earlier in SDLC Finds the vulnerability towards the end of SDLC Less expensive to fix vulnerability More expensive to fix vulnerability Runtime and environment related issues can’t be discovered Runtime and environment related issues can be discovered Typically supports all kinds of software Typically scans only apps like web application and web services SAST vs DAST The table given below summarizes the differences between SAST and DAST: SAST DAST White box security testing Black box security testing Requires a source code Requires a running application Finds vulnerability earlier in SDLC Finds the vulnerability towards the end of SDLC Less expensive to fix vulnerability More expensive to fix vulnerability Runtime and environment related issues Runtime and environment related issues can be can’t be discovered discovered Typically supports all kinds of software ypicaily supp ! w Typically scans only apps like web application and web services Table 9.2: SAST vs DAST Module 09 Page 1193 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.