2. Copyright - iAppSecure Solutions
External DAST (≠ DAST)
• Limitation with request / response only analysis
• Fuzzing, guesswork, trial and error or symptom based detection
• Lack of internal visibility and risk associated with vulnerabilities missed
• Manual cost of validating vulnerabilities and finding additional vulnerabilities
?
?
? ?
?
?
?
?
3. Copyright - iAppSecure Solutions
?
SAST
• Frustration with noise produced and efforts in removing them
• Lack of external perspective and end-to-end visibility
• Lack of concrete value based view and detection
• Manual cost of validating vulnerabilities and finding additional vulnerabilities
?
?
?
?
?
4. Copyright - iAppSecure Solutions
Hybrid 1.0
• Correlation is not a solution to the problem of finding vulnerabilities accurately
• Correlation simply cannot overcome fundamental deficiencies of the analyzers
• Correlated vulnerabilities is not an indication of severity, exploitability or priority
• False negatives reduced but sum of undesirable false positives is inherited as well
• Hybrid – DAST and SAST result based correlation
• Shortcut approach which preserves existing investment
• Issues with URL to source based correlation
• Marginal gains in improvement of dynamic coverage because of lack of context
DAST SAST
Correlated Results
5. Copyright - iAppSecure Solutions
Hybrid 2.0
• Correlation logic more effective but again fundamental problems with correlation based
approach remain same
• Hybrid – DAST with instrumentation based feedback and stack trace based correlation
with SAST
• Coarse instrumentation / stack trace based approach
• Shifts visibility point but entire application logic in between is still black box
• Instrument what ? application or library function execution ?
• Instrument how much ? application details or limited library functions executed ?
• Small gains in improvement of dynamic coverage because of lack of context
DAST SAST
Correlated Results
Instrument / Stack Trace
Feedback
6. Copyright - iAppSecure Solutions
IAST
• Very broad interpretation (interactive is one aspect)
• Under the hood (approach matters)
• Instrumentation Technology – Limited (Source, Sink, Propagation) or Advanced ?
• Analysis Technology – Concrete, Symbolic or Interweaved ?
• Operation – Passive, Active or Multi-way ?
• Modeling – Function Level with Limited API or Application Level with High Resolution ?
• Visibility
• Screen / Use Case
• Request / Response
• Application Flow
• Analysis Technique
• Concrete
• Symbolic
• Interweaved
• Application Trace
• Language Support
7. Copyright - iAppSecure Solutions
Summary
• Every analysis technique has strengths and weaknesses
• Standalone analyzers
• Are monolithic and cannot improve based on observations of other analyzers
• Cannot contribute towards improving other analyzers
• Using limited techniques like DAST, SAST, IAST
• Is not adequate for getting higher accuracy, assurance or complete visibility
• Misses out very valuable information which can drastically improve the analyzers results
• Hybrid approach
• Use correlation which is not a solution to the problem of finding vulnerabilities accurately
• Correlation simply cannot overcome fundamental deficiencies of the analyzers
• An accurate application model
• Provides huge wealth of information about application (nuts and bolts of application)
• Must be the foundation for any analysis requiring higher assurance