SlideShare a Scribd company logo

DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations

iAppSecure Solutions
iAppSecure Solutions

Comparing different methodologies for application security.

Technology
1 of 8
Current Approaches and Limitations
Copyright - iAppSecure Solutions External DAST (≠ DAST) • Limitation with request / response only analysis • Fuzzing, guesswork, trial and error or symptom based detection • Lack of internal visibility and risk associated with vulnerabilities missed • Manual cost of validating vulnerabilities and finding additional vulnerabilities ? ? ? ? ? ? ? ?
Copyright - iAppSecure Solutions ? SAST • Frustration with noise produced and efforts in removing them • Lack of external perspective and end-to-end visibility • Lack of concrete value based view and detection • Manual cost of validating vulnerabilities and finding additional vulnerabilities ? ? ? ? ?
Copyright - iAppSecure Solutions Hybrid 1.0 • Correlation is not a solution to the problem of finding vulnerabilities accurately • Correlation simply cannot overcome fundamental deficiencies of the analyzers • Correlated vulnerabilities is not an indication of severity, exploitability or priority • False negatives reduced but sum of undesirable false positives is inherited as well • Hybrid – DAST and SAST result based correlation • Shortcut approach which preserves existing investment • Issues with URL to source based correlation • Marginal gains in improvement of dynamic coverage because of lack of context DAST SAST Correlated Results
Copyright - iAppSecure Solutions Hybrid 2.0 • Correlation logic more effective but again fundamental problems with correlation based approach remain same • Hybrid – DAST with instrumentation based feedback and stack trace based correlation with SAST • Coarse instrumentation / stack trace based approach • Shifts visibility point but entire application logic in between is still black box • Instrument what ? application or library function execution ? • Instrument how much ? application details or limited library functions executed ? • Small gains in improvement of dynamic coverage because of lack of context DAST SAST Correlated Results Instrument / Stack Trace Feedback
Copyright - iAppSecure Solutions IAST • Very broad interpretation (interactive is one aspect) • Under the hood (approach matters) • Instrumentation Technology – Limited (Source, Sink, Propagation) or Advanced ? • Analysis Technology – Concrete, Symbolic or Interweaved ? • Operation – Passive, Active or Multi-way ? • Modeling – Function Level with Limited API or Application Level with High Resolution ? • Visibility • Screen / Use Case • Request / Response • Application Flow • Analysis Technique • Concrete • Symbolic • Interweaved • Application Trace • Language Support
Copyright - iAppSecure Solutions Summary • Every analysis technique has strengths and weaknesses • Standalone analyzers • Are monolithic and cannot improve based on observations of other analyzers • Cannot contribute towards improving other analyzers • Using limited techniques like DAST, SAST, IAST • Is not adequate for getting higher accuracy, assurance or complete visibility • Misses out very valuable information which can drastically improve the analyzers results • Hybrid approach • Use correlation which is not a solution to the problem of finding vulnerabilities accurately • Correlation simply cannot overcome fundamental deficiencies of the analyzers • An accurate application model • Provides huge wealth of information about application (nuts and bolts of application) • Must be the foundation for any analysis requiring higher assurance
Copyright - iAppSecure Solutions Thank You • iAppSecure Solutions • www.iappsecure.com • contact@iappsecure.com

Recommended

SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Pasta Threat Modeling
Pasta Threat ModelingPasta Threat Modeling
Pasta Threat ModelingEC-Council
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 

Recommended

SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Pasta Threat Modeling
Pasta Threat ModelingPasta Threat Modeling
Pasta Threat ModelingEC-Council
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Jim Gilsinn
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLCChitpong Wuttanan
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Liran Tal
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
 
Introduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsIntroduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsPaul Green
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAAKASH S
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
Introduction to Tenable
Introduction to TenableIntroduction to Tenable
Introduction to TenableBharat Jindal
 
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...Edureka!
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
iAppSecure - Brief on the Company
iAppSecure - Brief on the CompanyiAppSecure - Brief on the Company
iAppSecure - Brief on the CompanyiAppSecure Solutions
 
2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls FactoryNathan Anderson
 

More Related Content

What's hot

Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Jim Gilsinn
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Liran Tal
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
 
Introduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsIntroduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsPaul Green
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAAKASH S
 
Introduction to Tenable
Introduction to TenableIntroduction to Tenable
Introduction to TenableBharat Jindal
 
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...Edureka!
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 

What's hot (20)

Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
 
Introduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsIntroduction To Intrusion Detection Systems
Introduction To Intrusion Detection Systems
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Introduction to Tenable
Introduction to TenableIntroduction to Tenable
Introduction to Tenable
 
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 

Similar to DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations

2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls FactoryNathan Anderson
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCigital
 
From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP AdoptionGoran Begic
 
How To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty SoftwareHow To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty SoftwareErika Barron
 
Questions for successful test automation projects
Questions for successful test automation projectsQuestions for successful test automation projects
Questions for successful test automation projectsDaniel Ionita
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwarePerforce
 
Building a Test Automation Strategy for Success
Building a Test Automation Strategy for SuccessBuilding a Test Automation Strategy for Success
Building a Test Automation Strategy for SuccessLee Barnes
 
Advancing Testing Program Maturity in your organization
Advancing Testing Program Maturity in your organizationAdvancing Testing Program Maturity in your organization
Advancing Testing Program Maturity in your organizationRamkumar Ravichandran
 
The elusive root cause
The elusive root causeThe elusive root cause
The elusive root causeneebula
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
Towards Responsible AI - KC.pptx
Towards Responsible AI - KC.pptxTowards Responsible AI - KC.pptx
Towards Responsible AI - KC.pptxLuis775803
 
Chapter 13 software testing strategies
Chapter 13 software testing strategiesChapter 13 software testing strategies
Chapter 13 software testing strategiesSHREEHARI WADAWADAGI
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Cigital
 
Audit: Breaking Down Barriers to Increase the Use of Data Analytics
Audit: Breaking Down Barriers to Increase the Use of Data AnalyticsAudit: Breaking Down Barriers to Increase the Use of Data Analytics
Audit: Breaking Down Barriers to Increase the Use of Data AnalyticsCaseWare IDEA
 
MediaEval 2018: Baseline Algorithms for Predicting the Interest in News
MediaEval 2018: Baseline Algorithms for Predicting the Interest in NewsMediaEval 2018: Baseline Algorithms for Predicting the Interest in News
MediaEval 2018: Baseline Algorithms for Predicting the Interest in Newsmultimediaeval
 

Similar to DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations (20)

iAppSecure - Brief on the Company
iAppSecure - Brief on the CompanyiAppSecure - Brief on the Company
iAppSecure - Brief on the Company
 
2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself Secure
 
Embedded world 2017
Embedded world 2017Embedded world 2017
Embedded world 2017
 
From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP Adoption
 
How To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty SoftwareHow To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty Software
 
Questions for successful test automation projects
Questions for successful test automation projectsQuestions for successful test automation projects
Questions for successful test automation projects
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
 
Building a Test Automation Strategy for Success
Building a Test Automation Strategy for SuccessBuilding a Test Automation Strategy for Success
Building a Test Automation Strategy for Success
 
Advancing Testing Program Maturity in your organization
Advancing Testing Program Maturity in your organizationAdvancing Testing Program Maturity in your organization
Advancing Testing Program Maturity in your organization
 
The elusive root cause
The elusive root causeThe elusive root cause
The elusive root cause
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
Towards Responsible AI - KC.pptx
Towards Responsible AI - KC.pptxTowards Responsible AI - KC.pptx
Towards Responsible AI - KC.pptx
 
Chapter 13 software testing strategies
Chapter 13 software testing strategiesChapter 13 software testing strategies
Chapter 13 software testing strategies
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!
 
Audit: Breaking Down Barriers to Increase the Use of Data Analytics
Audit: Breaking Down Barriers to Increase the Use of Data AnalyticsAudit: Breaking Down Barriers to Increase the Use of Data Analytics
Audit: Breaking Down Barriers to Increase the Use of Data Analytics
 
MediaEval 2018: Baseline Algorithms for Predicting the Interest in News
MediaEval 2018: Baseline Algorithms for Predicting the Interest in NewsMediaEval 2018: Baseline Algorithms for Predicting the Interest in News
MediaEval 2018: Baseline Algorithms for Predicting the Interest in News
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 

Recently uploaded

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Recently uploaded (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations

  • 2. Copyright - iAppSecure Solutions External DAST (≠ DAST) • Limitation with request / response only analysis • Fuzzing, guesswork, trial and error or symptom based detection • Lack of internal visibility and risk associated with vulnerabilities missed • Manual cost of validating vulnerabilities and finding additional vulnerabilities ? ? ? ? ? ? ? ?
  • 3. Copyright - iAppSecure Solutions ? SAST • Frustration with noise produced and efforts in removing them • Lack of external perspective and end-to-end visibility • Lack of concrete value based view and detection • Manual cost of validating vulnerabilities and finding additional vulnerabilities ? ? ? ? ?
  • 4. Copyright - iAppSecure Solutions Hybrid 1.0 • Correlation is not a solution to the problem of finding vulnerabilities accurately • Correlation simply cannot overcome fundamental deficiencies of the analyzers • Correlated vulnerabilities is not an indication of severity, exploitability or priority • False negatives reduced but sum of undesirable false positives is inherited as well • Hybrid – DAST and SAST result based correlation • Shortcut approach which preserves existing investment • Issues with URL to source based correlation • Marginal gains in improvement of dynamic coverage because of lack of context DAST SAST Correlated Results
  • 5. Copyright - iAppSecure Solutions Hybrid 2.0 • Correlation logic more effective but again fundamental problems with correlation based approach remain same • Hybrid – DAST with instrumentation based feedback and stack trace based correlation with SAST • Coarse instrumentation / stack trace based approach • Shifts visibility point but entire application logic in between is still black box • Instrument what ? application or library function execution ? • Instrument how much ? application details or limited library functions executed ? • Small gains in improvement of dynamic coverage because of lack of context DAST SAST Correlated Results Instrument / Stack Trace Feedback
  • 6. Copyright - iAppSecure Solutions IAST • Very broad interpretation (interactive is one aspect) • Under the hood (approach matters) • Instrumentation Technology – Limited (Source, Sink, Propagation) or Advanced ? • Analysis Technology – Concrete, Symbolic or Interweaved ? • Operation – Passive, Active or Multi-way ? • Modeling – Function Level with Limited API or Application Level with High Resolution ? • Visibility • Screen / Use Case • Request / Response • Application Flow • Analysis Technique • Concrete • Symbolic • Interweaved • Application Trace • Language Support
  • 7. Copyright - iAppSecure Solutions Summary • Every analysis technique has strengths and weaknesses • Standalone analyzers • Are monolithic and cannot improve based on observations of other analyzers • Cannot contribute towards improving other analyzers • Using limited techniques like DAST, SAST, IAST • Is not adequate for getting higher accuracy, assurance or complete visibility • Misses out very valuable information which can drastically improve the analyzers results • Hybrid approach • Use correlation which is not a solution to the problem of finding vulnerabilities accurately • Correlation simply cannot overcome fundamental deficiencies of the analyzers • An accurate application model • Provides huge wealth of information about application (nuts and bolts of application) • Must be the foundation for any analysis requiring higher assurance
  • 8. Copyright - iAppSecure Solutions Thank You • iAppSecure Solutions • www.iappsecure.com • contact@iappsecure.com