Applications continue to make it to production from development with significant vulnerabilities, and this is validated with a record number of vulnerabilities recorded in the U.S. CERT Vulnerability database last year. With enterprises facing this continued trend of missing vulnerabilities during development testing, one has to wonder what’s missing from the application security testing phase. In this blog article we’ll take a look at some of the common pain points around one phase of testing during pre-production, DAST (Dynamic Application Security Testing), the black box testing that simulates attacks against web applications.
Here, at K2, we have listened to our customers and we have come up with a list of the top pain points that our customers have come across during their DAST testing. Based on customer pain points we created this list of the top five needs of DAST testing. So in no particular order, here’s the top five needs of the DAST testing cycle:
1) Need to find more vulnerabilities. This first need is probably the most obvious. Because the DAST tools aren’t discovering all the vulnerabilities in the application during the penetration testing and scan, there’s really a need to find additional vulnerabilities during the DAST testing phase. This is one area where K2 Cyber Security can offer significant benefits to an existing DAST environment by finding significant hidden vulnerabilities without having to change your testing setup or methodology. You can read more about how K2 Cyber Security finds significant hidden vulnerabilities during DAST testing in our blog article on the topic.
2) Need to have better vulnerability telemetry. Current DAST tools find vulnerabilities, and can will give the type of vulnerability and the payload the DAST servers sent to the application that caused the DAST tool to report the vulnerability. But when it comes time to remediate the vulnerability there’s often not enough information around how to find the actual vulnerability in the application to remediate it quickly. Getting as much telemetry around a vulnerability to find the actual source of the vulnerability in the application is another DAST testing need. K2 can help here as well providing significant additional telemetry around the vulnerability down to the line of code where the vulnerability exists and the exact command that caused the exploit.
3) Less false positives (and easy identification of false positives) – The current DAST testing tools find vulnerabilities, but it’s often difficult to determine whether the discovered vulnerability is an actual vulnerability or a false positive generated by the DAST scan, based on just the information provided by the DAST results. K2 can corroborate a discovered vulnerability and provide the information needed to remediate that vulnerability quickly as indicated in the second need. When K2 doesn’t report on a vulnerability discovered by a DAST tool, it’s often a good indicator to check for a false positive before spending the time hunting down a vulnerability with the limited information provided by the DAST tool.
4) Faster scan runs. One of the most common complaints about DAST scans is the length of time the scan takes and then the corresponding lengthy time needed to remediate the vulnerabilities discovered by the DAST scan. While there’s not much K2 can do to help with the length of time needed to run the DAST scan, K2 can help reduce the amount of time needed to remediate the vulnerabilities discovered by the DAST scan.
5) Easier configuration and setup. Another common complaint we often hear about DAST scanning and testing is the dizzying array of options that need to be set to configure and run a DAST test. The confusing amount of configuration adds to the time needed to run a DAST scan, stretching out the time needed for the development of the application.
While DAST testing is an absolute requirement for web applications to help ensure as few vulnerabilities make it to production as possible, organizations today do not need to live with the limitations of DAST testing. There are definitely areas where DAST testing can be improved, and K2 Cyber Security can help improve an existing DAST testing and scanning environment without having to change the tests or the methodology.
K2 can help find additional hidden vulnerabilities in pre-production testing and address the issues around the lack of remediation guidance and the inadequate quality of security penetration testing results. K2 Cyber Security Platform is a great addition for adding visibility into the threats discovered by penetration and security testing tools in pre-production and can also find additional vulnerabilities during testing that testing tools may have missed. K2 can pinpoint the exact location of the discovered vulnerability in the code. When a vulnerability is discovered (for example, SQL Injection, XSS or Remote Code Injection), K2 can disclose the exact file name along with the line of code that contains the vulnerability, details that testing tools typically are unable to provide, enabling developers to start the remediation process quickly.
In addition to helping find additional vulnerabilities and speeding up the remediation process, K2 Cyber Security can also provide deterministic runtime application security that detects zero day attacks, along with well-known attacks. K2 issues alerts based on severity and includes actionable alerts that provide complete visibility to the attacks and the vulnerabilities that the attacks are targeting including the location of the vulnerability within the application, providing details like file name and line of code where the vulnerability exists.
Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, K2 uses a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge. Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended. There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has minimal false alerts.
Get more out of your application security testing and change how you protect your applications, and check out K2’s application workload security solution.