Monday, November 7, 2011

Dynamic scanning is the tip of the iceberg

Here's a funny thought I had today, and hopefully one that will not put me out on the streets.

Dynamic web application testing tools ("D.A.S.T.") such as HP WebInspect, HP QAInspect, and HP AMP are just the tip of the iceberg. These are the first tool sets a new security program sees and starts with, but they are in no part the full program. Fortify Software has been saying this for years. In their view, ostensibly as purveyors of code analysis tools ("S.A.S.T."), only beginners depend on dynamic scanners. And you know, they are right to some degree.

Certainly implementing a dynamic DAST tool is the quickest thing to do to help your broken system and begin to catch those security defects. It is also cheaper and faster to enact than the true solution, the implementation of a full Secure Software Assurance program or Secure SDLC a la OpenSAMM. Too many companies are checking for security only in a silo, right before the code goes out the door. Too frequently the security testers are portrayed as the bad guys, the bottle neck that gums up the product releases. This is partly why HP QAInspect exists, because once upon a time SPI Dynamics customers experienced bottlenecks from having HP WebInspect used in the final stages of approval and not having security testing earlier.

We all know that secure code is better than insecure code. The Rugged Code Manifesto, OWASP, and many others have been trying to make security an integral part of the development process. This is where the largest portion of our security iceberg is found with mature processes, system governance, stream-lined efforts, and security baked in. This requires reviews and changes to the current development process, but the ultimate outcome will be code that is self-hardened. Now the security team can serve as the trusted advisers they should be, focusing on the logic attacks and tougher items inherent with implemented code.

Dynamic scanners still serve a purpose. Auditors need them. There are classes of vulnerabilities that are based on the implementation or not an issue on the code-level. These scanners can operate in the absence of code access. Or with periodic post-production test runs, they can identify new zero-day vulnerabilities that are live on the company web sites after the full SSA process has been completed. So if your company just got real with a new dynamic scanner, welcome aboard, now get to work!

~~~~ Habeas Data

No comments:

Post a Comment