Fundamentals Of Application Security Testing Tools - DTIC
Fundamentals of ApplicationSecurity Testing ToolsDr. Thomas P. ScanlonSoftware Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213Fundamentals of Application Security 2021 Carnegie Mellon University[[DISTRIBUTION STATEMENTA] ThismaterialA]hasapprovedforapproved for public[[DISTRIBUTIONSTATEMENTThisbeenmaterialhas beenrelease anddistribution.unlimited distribution.Pleasesee Copyrightpublic release and unlimitedPlease seeCopyrightnoticenotice for non-USGovernmentusedistribution.and distribution.for non-US Governmentuse and1
We Have LawyersCopyright 2021 Carnegie Mellon University.This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded researchand development center.The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as anofficial Government position, policy, or decision, unless designated by other documentation.References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, orotherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie MellonUniversity or its Software Engineering Institute.NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL ISFURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OFFITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THEMATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TOFREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please seeCopyright notice for non-US Government use and distribution.This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic formwithout requesting formal permission. Permission is required for any other use. Requests for permission should be directedto the Software Engineering Institute at permission@sei.cmu.edu.Carnegie Mellon and CERT are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.DM21-0408Fundamentals of Application Security 2021 Carnegie Mellon University[[DISTRIBUTION STATEMENT A] This materialhas been approved forpublic release and unlimited distribution. Please see Copyright noticefor non-US Government use and distribution.2
AST Tools Benefits Increase speed, efficiency, andcoverage paths Repeatable Scale well Find known vulnerabilities, issuesand weaknesses Triage and classify findings Assist in remediation workflow,especially verification Can be used for correlation andidentification of trends and patternsFundamentals of Application Security 2021 Carnegie Mellon University[[DISTRIBUTION STATEMENT A] This materialhas been approved forpublic release and unlimited distribution. Please see Copyright noticefor non-US Government use and distribution.3
Types of Application Security Testing -use-them/Fundamentals of Application Security 2021 Carnegie Mellon University[[DISTRIBUTION STATEMENT A] This materialhas been approved forpublic release and unlimited distribution. Please see Copyright noticefor non-US Government use and distribution.4
Application Security Testing Tools PyramidApplication SecurityTestingOrchestration(ASTO)Correlation ToolsMobile ApplicationSecurity Testing(MAST)Static ApplicationSecurity Testing(SAST)Test CoverageAnalyzersInteractiveApplication SecurityTesting (IAST) &Hybrid ToolsDynamicApplication SecurityTesting (DAST)Fundamentals of Application Security 2021 Carnegie Mellon UniversityApplication SecurityTesting as a Service(ASTaaS)Origin Analysis /SoftwareCompositionAnalysis (SCA)Database SecurityScanning[[DISTRIBUTION STATEMENT A] This materialhas been approved forpublic release and unlimited distribution. Please see Copyright noticefor non-US Government use and distribution.5
Application Security Testing Tools PyramidApplication SecurityTestingOrchestration(ASTO)Correlation ToolsMobile ApplicationSecurity Testing(MAST)Static ApplicationSecurity Testing(SAST)Test CoverageAnalyzersInteractiveApplication SecurityTesting (IAST) &Hybrid ToolsDynamicApplication SecurityTesting (DAST)Fundamentals of Application Security 2021 Carnegie Mellon UniversityApplication SecurityTesting as a Service(ASTaaS)Origin Analysis /SoftwareCompositionAnalysis (SCA)Database SecurityScanning[[DISTRIBUTION STATEMENT A] This materialhas been approved forpublic release and unlimited distribution. Please see Copyright noticefor non-US Government use and distribution.6
Static Application Security Testing (SAST)Static ApplicationSecurity Testing(SAST)Can be thought ofas white-hat orwhite-box testing “Examine source code (at rest) todetect and report weaknesses that canlead to security vulnerabilities” – NIST1 Source code analyzers can run onnon-compiled code checking for thingslike numeric errors, input validation,race conditions, path traversals,pointers and references, and more Binary and Byte Code analyzers do thesame on built and compiled code Some tools run on source only,compiled only, or bothNIST1 - https://samate.nist.gov/index.php/Source Code Security Analyzers.htmlFundamentals of Application Security 2021 Carnegie Mellon University[[DISTRIBUTION STATEMENT A] This materialhas been approved forpublic release and unlimited distribution. Please see Copyright noticefor non-US Government use and distribution.7
CWEs and CVEsCommon Weakness Enumerations (CWEs)CWEs are classes of problemsDoes not focus on a specific product, system, or piece of softwareCWEs represent concepts/behaviors software developers should avoidExamples: Integer Overflow; Use of Hard-coded credentials; Generation of PredictableNumbersCommon Vulnerabilities and Exposures (CVEs)CVEs are instances of problems (instances of CWEs in some respects)Does pertain to a specific product, system, or piece of softwareCVEs represent weaknesses software developers could bring into their software via use of &inclusion of tools, libraries, products, other softwareExample: CVE-2015-3429 Cross-site scripting (XSS) vulnerability in example.html inGenericons on Debian Linux before 3.3.1, as used in WordPress before 4.2.2, allows remoteattackers to inject arbitrary web script or HTML via a fragment identifier.Fundamentals of Application Security 2021 Carnegie Mellon University[[DISTRIBUTION STATEMENT A] This materialhas been approved forpublic release and unlimited distribution. Please see Copyright noticefor non-US Government use and distribution.8
Application Security Testing Tools PyramidApplication SecurityTestingOrchestration(ASTO)Correlation ToolsMobile ApplicationSecurity Testing(MAST)Static ApplicationSecurity Testing(SAST)Test CoverageAnalyzersInteractiveApplication SecurityTesting (IAST) &Hybrid ToolsDynamicApplication SecurityTesting (DAST)Fundamentals of Application Security 2021 Carnegie Mellon UniversityApplication SecurityTesting as a Service(ASTaaS)Origin Analysis /SoftwareCompositionAnalysis (SCA)Database SecurityScanning[[DISTRIBUTION STATEMENT A] This materialhas been approved forpublic release and unlimited distribution. Please see Copyright noticefor non-US Government use and distribution.9
Dynamic Application Security Testing(DAST)DynamicApplication SecurityTesting (DAST)Can be thought ofas black-hat orblack-box testing “Detect conditions indicative of asecurity vulnerability in an applicationin its running state” – Gartner1 DAST tools run on operating codedetecting issues with interfaces,requests, responses, scripting (i.e.JavaScript), data injection, sessions,authentication and more Fuzzing is throwing known invalid andunexpected test cases at anapplication, often in large volumeGartner1 - tion-security-testing-dastFundamentals of Application Security 2021 Carnegie Mellon University[[DISTRIBUTION STATEMENT A] This materialhas been approved forpublic release and unlimited distribution. Please see Copyright noticefor non-US Government use and distribution.10
Application Security Testing Tools PyramidApplication SecurityTestingOrchestration(ASTO)Correlation ToolsMobile ApplicationSecurity Testing(MAST)Static ApplicationSecurity Testing(SAST)Test CoverageAnalyzersInteractiveApplication SecurityTesting (IAST) &Hybrid ToolsDynamicApplication SecurityTesting (DAST)Fundamentals of Application Security 2021 Carnegie Mellon UniversityApplication SecurityTesting as a Service(ASTaaS)Origin Analysis /SoftwareCompositionAnalysis (SCA)Database SecurityScanning[[DISTRIBUTION STATEMENT A] This materialhas been approved forpublic release and unlimited distribution. Please see Copyright noticefor non-US Government use and distribution.11
Origin Analysis / Software Composition Analysis(SCA) SCA tools examine software to determineOrigin Analysis /SoftwareCompositionAnalysis (SCA)the origins of all components and libraries Most effective finding common and popularlibraries and components, particularly opensource pieces“SoftwareGovernanceprocesses thatdepend on manualinspection areguaranteed to fail.” Compares modules found in code to list ofknown vulnerabilities- Diego Lo Guidice,Forrester1 Tools can run on source code, byte code,binary code or some combination Almost all use NIST National VulnerabilityDatabase CVEs: https://nvd.nist.gov/ Finds components that are out of dateand/or have patches available1 – Lo Guidice, Diego. Use DevOps And Supply Chain Principles To Automate Application Delivery Governance. Forrester. November 10, 2016.Fundamentals of Application Security 2021 Carnegie Mellon University[[DISTRIBUTION STATEMENT A] This materialhas been approved forpublic release and unlimited distribution. Please see Copyright noticefor non-US Government use and distribution.12
Application Security Testing Tools PyramidApplication SecurityTestingOrchestration(ASTO)Correlation ToolsMobile ApplicationSecurity Testing(MAST)Static ApplicationSecurity Testing(SAST)Test CoverageAnalyzersInteractiveApplication SecurityTesting (IAST) &Hybrid ToolsDynamicApplication SecurityTesting (DAST)Fundamentals of Application Security 2021 Carnegie Mellon UniversityApplication SecurityTesting as a Service(ASTaaS)Origin Analysis /SoftwareCompositionAnalysis (SCA)Database SecurityScanning[[DISTRIBUTION STATEMENT A] This materialhas been approved forpublic release and unlimited distribution. Please see Copyright noticefor non-US Government use and distribution.13
Application Security Testing Tools Reference ModelCI/CD Development ProjectCorrelation Tools & ASTOIf Tests Fail,ReportFindings andBlock ReleaseRemediateSCADeveloperCommitsCodeSASTDASTIf Tests Pass,Compile &BuildIASTIf Tests Pass,ReleaseDatabase Security ScannerFundamentals of Application Security 2021 Carnegie Mellon University[[DISTRIBUTION STATEMENT A] This materialhas been approved forpublic release and unlimited distribution. Please see Copyright noticefor non-US Government use and distribution.14
A Simple AST Decision FlowIf I can only implement one AST tool, which type should I use?YESIs the applicationwritten in-house?Are a lot of 3rdparty and opensourcecomponents used?YESNODo you haveaccess to thesource code?NOSASTNOYESSCAFundamentals of Application Security 2021 Carnegie Mellon UniversityDAST[[DISTRIBUTION STATEMENT A] This materialhas been approved forpublic release and unlimited distribution. Please see Copyright noticefor non-US Government use and distribution.15
AST Tool Type Decision FactorsFundamentals of Application Security 2021 Carnegie Mellon University[[DISTRIBUTION STATEMENT A] This materialhas been approved forpublic release and unlimited distribution. Please see Copyright noticefor non-US Government use and distribution.16
AST Tool Type Decision Factors Summary Examining each factor will allow you to build a list of AST Tooltypes to consider. Some factors may push you to a certain type and other factors willpush you away from that tool type. Ideally you will implement a combination of tools. SAST, DAST, andSCA should be used in combination whenever possible. Use IASTand Hybrid tools if needed to get the most coverage. In cases where only one or two tool types can be considered, thedecision factors should help you prioritize what can be done. A strong understanding of traditional SAST, DAST, and SCA isuseful for make decisions on MAST, IAST, and ASTaaS Correlation, Test Coverage and ASTO tools can improve theperformance and impact of the other AST tool types.Fundamentals of Application Security 2021 Carnegie Mellon University[[DISTRIBUTION STATEMENT A] This materialhas been approved forpublic release and unlimited distribution. Please see Copyright noticefor non-US Government use and distribution.17
Application Security Testing (DAST) Origin Analysis / Software Composition Analysis (SCA) Mobile Application Security Testing (MAST) Application Security Testing as a Service (ASTaaS) Correlation Tools Application Security Testing Orchestration (ASTO) Database Security Scanning Test Coverage Analyzers Interactive Application Security Testing .
Interactive application security testing These challenges have led development and security teams to seek out alternative dynamic AppSec testing solutions such as interactive application security testing (IAST). IAST tools perform dynamic security tests concurrently during various test stages, while teams perform usual development and QA tests.
Security testing is very important to keep the system protected from malicious activities on the web. What is Security Testing? Security testing is a testing technique to determine if an information system protects data and maintains functionality as intended. Security testing does not guarantee complete
New OWASP Top 10 in 2013. Best Quality Application Security OWAPS Top 10 Calculation. Best Quality Application Security OWASP Top 10 Calculation. Best Quality Application Security What works Reallywell? Best Quality Application Security Three Fundamentals to a Security Solution.
Assessment, Penetration Testing, Vulnerability Assessment, and Which Option is Ideal to Practice? Types of Penetration Testing: Types of Pen Testing, Black Box Penetration Testing. White Box Penetration Testing, Grey Box Penetration Testing, Areas of Penetration Testing. Penetration Testing Tools, Limitations of Penetration Testing, Conclusion.
HOW A POERFUL E-COMMERCE TESTING STRATEGY 7 HITEPAPER 4.3 Obtaining Strong Non-Functional Testing Parameters Retailers also need to focus on end-user testing and compatibility testing along with other non-functional testing methods. Performance testing, security testing, and multi-load testing are some vital parameters that need to be checked.
Pass Google ADWORDS-FUNDAMENTALS Exam with 100% Guarantee Free Download Real Questions & Answers PDF and VCE file from: . A key benefit of My Client Center (MCC) is that it allows: . Latest Google exams,latest ADWORDS-FUNDAMENTALS dumps,ADWORDS-FUNDAMENTALS pdf,ADWORDS-FUNDAMENTALS vce,ADWORDS-FUNDAMENTALS dumps,ADWORDS-FUNDAMENTALS exam .
EN 571-1, Non-destructive testing - Penetrant testing - Part 1: General principles. EN 10204, Metallic products - Types of inspection documents. prEN ISO 3059, Non-destructive testing - Penetrant testing and magnetic particle testing - Viewing conditions. EN ISO 3452-3, Non-destructive testing - Penetrant testing - Part 3: Reference test blocks.
“Accounting is the art of recording, classifying and summarizing in a significant manner and in terms of money, transactions and events which are, in part at least, of a financial character, and interpreting the result thereof”. Definition by the American Accounting Association (Year 1966): “The process of identifying, measuring and communicating economic information to permit informed .
