This session was originally shown at Black Hat USA 2020.
Overview
A successful Application Security Program requires a happy marriage between people, processes, and technology.
In this on-demand webinar, NetSPI Field CISO Nabil Hannan and Head of Emerging Technology Jake Reynolds explore:
- How leading organizations use different discovery techniques as part of their AppSec program
- Strengths and weaknesses of common AppSec vulnerability discovery technologies
- Techniques that make security frictionless for your developers as they embrace a DevSecOps culture
- How functional your application security program can be with a “makeover” to:
- Enhance your reporting to empower leadership to optimize your AppSec program
- Improve your vulnerability ingestion, correlation, and enrichment
- Increase your speed to remediation
Key highlights:
- 0:35 – Pre-renovation
- 1:28 – Application vulnerability discovery techniques
- 7:30 – Post-renovation
- 10:50 – NetSPI’s platform demo
Pre-Renovation
If you’re considering giving your application security program an extreme makeover, you’ll likely notice some telltale signs that your AppSec program is in need of renovation.
Some to signs include:
- New and immature AppSec programs are reactive
- Security testing is performed ad-hoc
- Vulnerabilities and remediation efforts aren’t managed centrally
- Organizations face challenges conveying the value of AppSec efforts and investment
Application Vulnerability Discovery Techniques
When it comes to application vulnerability discovery techniques, a few traditional techniques are more commonly used while emerging ones are gaining adoption and popularity. Traditional techniques include:
- Static application security testing (SAST) and manual code review
- Dynamic application security testing (DAST) and manual pentesting
- Manual inventory of OSS usage
Emerging techniques include:
- Interactive application security testing (IAST)
- Real-time application self-protection (RASP)
- Software composition analysis (SCA)
Common Discovery Tool Types
As you decide how you want to renovate your AppSec program, there are many different options to consider, including the following:
- SAST and DAST
- Challenging to deploy and manage in large organizations
- Noisy (high false positive rates out of the box)
- Long scan times
- Quality of results varies significantly between SAST and DAST products
- Security expertise required to interpret results and remove false positives
- Interactive application security testing (IAST)
- Most popular IAST products are passive
- Quality of results driven by test automation and QA test coverage
- Easy to integrate into CI/CD pipelines
- Seamless to the development organization
- Low false positive rates
- Real-time self-protection (RASP)
- Challenging to deploy and manage in large organizations
- The level of effort to deploy is almost the same as fixing vulnerabilities
- Provides protection from common vulnerabilities getting exploited
- Software composition analysis (SCA)
- Identify known security vulnerabilities in components being used
- Doesn’t identify new vulnerabilities in source code
- Challenging to deploy at scale at large organizations
- Create a bill of materials (BOM) of Open Source components
Post-Renovation
Once you’ve determined what’s working with your application security program and which parts need a makeover, it’s important to take the following into consideration:
- Build a centralized system of record to manage all AppSec activities
- Strategize an effective approach to AppSec with multiple touchpoints
- Integrate technology into processes as appropriate
- Enable automation to assign people to strategic tasks/activities
Next-Gen AppSec Infrastructure
Your next-generation application security infrastructure should be built around all your testing initiatives, including SAST, DAST, IAST, RASP, and SCA. Under each type of testing activity, the infrastructure includes project management, testing, ticketing, and reporting, and remediation.
In the middle of the infrastructure is a rock-solid threat and vulnerability management platform. NetSPI’s Resolve™ platform is built to be the warehouse of all your data and is capable of managing all of your S-SDLC in the product.
NetSPI Can Help Make Over Your Application Security Program
As attack surfaces continue to expand and evolve, and threat actors become more sophisticated, your AppSec program has room for improvement. Read our in-depth whitepaper, Getting Started on Your Application Security Program, to begin your journey to mature your application security program and reduce risk.
With NetSPI’s offensive security platform, your organization can improve vulnerability management, achieve penetration testing efficiencies, leverage security automation, understand your risk, scale your security program, and manage your attack surface. Learn more – schedule a demo today.