当前位置:网站首页>How to conduct application security test (AST)

How to conduct application security test (AST)

2022-04-23 16:03:00 jimmyleeee

With the application or API Being attacked and used more and more , Although vulnerabilities from open source components exacerbate this phenomenon , however , In fact, it mainly lies in the application or API I didn't take precautions , The root cause is that the quality of the source code itself is not strictly controlled .AST Refer to Application Security Testing, Mainly including static application test (SAST)、 Interactive application testing (IAST)、 Dynamic application testing (DAST) And software component analysis (SCA) Tools such as .

Application testing tools AST It is a tool specially used to detect source code security problems , How to effectively AST Tools are used in the development process , It is also a challenging thing .

take AST Tools are integrated in SDLC Nature is a commonly used good method , Problems in the code can be found as early as possible in the development process , Timely solution , Reduce the possible attack and loss caused by the problem . This is the same. “ Move left safely ” said “ Apply security as early as possible to the beginning of the development process , It's not just late testing that starts to focus on security ”, Because the cost of early discovery is small , Little impact , And the lowest cost .

“ Move left safely ” Very good concept , The key is to know when and how to integrate into SDLC In the process ,AST How often is it enabled . Agile development in particular DevOps The age of the fashion ,SAST How tools can be automatically integrated into the process is crucial .

according to Gartner Of “How to Deploy and Perform Application Security Testing” It is suggested that AST Apply to development phase testing 、 Pre release testing and product line testing . In the development process before product development and release , stay build pipeline Initiate SAST And SCA testing , Before the product goes online , Use IAST/DAST testing , After the product goes online , have access to DAST test . This can ensure that the application is in the process of deployment and use , Is fully tested . Of course, this is not to say that each paragraph can only be tested strictly , Before release , You can also enable SAST perhaps SCA Look at the quality of the released package , As a reference to whether it can be released , It works better . Some products can scan binary files , After the product goes online , You can also scan the security quality status of the running product deployment package regularly .

In the development process , How to make effective use of SAST and SCA It's also a challenge . Use IDE Plug in , Detect in real time when developing and writing code , You can find the problematic code at the first time , In a timely manner to repair , The price is also the lowest . however , When there are a lot of developers , More code submitted at the same time , and SAST and SCA The scanning of is more resource consuming and time consuming , When the request exceeds SAST and SCA When your server can afford it , There will be a queue , It takes a long time , Impact on development efficiency , Even if SAST Support incremental development , Sometimes the queue is long . therefore , The frequency of scanning is too frequent , It may not be a good thing .

Pre release testing , Consider the use of... By the internal security team IAST Tools or DAST Tool testing , You can also consider using a third-party team to test . Tools , At present, there is no particularly good automation DAST, General DAST The test will take a long time , For agile development and DEVOPS for , It's a little uncomfortable . The advantage of using third-party teams is that they can analyze the system from different perspectives , Be able to find the blind spots of the internal team . Although there are automated testing tools , Testing at this stage may be more manual , Because the problems found may affect the release of the product , It is necessary to establish a mechanism or process to deal with serious security problems , Ensure that in case of serious safety problems , All parties have no objection to its handling process . Test results before release , You need to set a security threshold , When there are more than a few security problems at a certain level , Or when there is a certain level of security problem , It is not allowed to publish , If it is urgent to release , This requires an approval process , then , We need to consider how to patch in time in the later stage . The setting of safety threshold is very important , It must be put into the product release standard , Let every team know the standards of product release .

Testing after product launch , We need to pay attention to , Because after all, the product line is already running , In the use of DAST When the tool starts monitoring , Some test examples will affect the normal operation of the product , You need to define the scope of what operations cannot be done , In particular, injection problems like SQL Inject , It may tamper with the data in the database , It is even possible to delete data in the database , Lead to DOS, In reality, testers have used DAST Automatically scan the customer's product environment , Cause the product environment to be scanned and hang up , The final project was not completed , I lost a lot of money . however ,DAST Tools can detect things like XSS This attack , It usually doesn't cause any serious problems . The test on the product line cannot be carried out with a real knife and gun , It's like the martial arts competition of Wulin experts , So far , When using automated tools , You need to set the scanned rule set , Prevent test cases that may seriously affect the product environment . When testing, we also need to pay attention to whether the problems found in the early stage may reappear . Just in case DAST Tools can have an impact on the product environment , It is recommended to use a general account for DAST test , Instead of using admin Or users with higher permissions to test . thus it can be seen , After the product goes online , Think about digging and fixing problems , You need to be careful , And it's expensive .

According to the safety problems found in the early stage test , Summarize , In combination with the protective equipment of the product operating environment WAF、WAAP perhaps RASP, Revise the rules of these tools , So that they can effectively identify the types of security problems found in the early test and prevent relevant attacks in time , It can better improve the protection ability of products .

Because now most of them use cloud environment or data center , And deploy with microservices , One machine may deploy multiple services . In order to ensure that all products and services are in the list of management and monitoring , Have tools to scan assets in the environment often , Prevent some services from being directly deployed to the product environment without strict process control .

AST It can effectively improve the security of the application itself , It should not be an independent activity , It should be well integrated into the development process , Need long-term tracking and improvement , So that it can be integrated into the process in a long-term and efficient way .

For some, there is no way to “ Products that move left safely ”, Including the handling of legacy systems and outsourced systems also need to be cautious , Because any negligence can be exploited by attackers . Legacy systems due to long time , The technologies used may be older technologies and languages , If the source code and purchased SAST Support this language , Priority can be given to SAST The tool scans the results first , Understand the general safety status of the product . about Web In terms of system , Need for protective equipment WAF Rules should also be set for legacy systems , Strengthen protection . For legacy systems , May use DAST It's not suitable , Because the load that the legacy system can bear is not large enough , It's easy to lead to DOS, Affect the normal use of the system . For external systems or interfaces , Focus on manual testing .

When some organizations and units outsource development , Because in the development process, it is impossible to ensure AST Be able to carry out , We need to check the level in the acceptance stage . The quality of products can be explained by asking the development company to provide relevant reports , It is also necessary to add safety related test indicators during acceptance , for example : Use SAST Scan published binary packages , See if the safety problems in the report meet acceptable safety standards , These all need to set the acceptance criteria when outsourcing . For purchased commercial software , It should also be treated like outsourcing software .

If a worker wants to do a good job, he must sharpen his tools first , To push AST, You have to have the right tools , The key of automatic tools is how to solve the problem of false positive rate and false negative rate , The false positive rate is too high , Will affect the user's enthusiasm for the use of tools , Too many omissions , And lost the meaning of using tools . Automation tools are usually customized for public frameworks or open source components , however , Customized frameworks used within organizations do not support , This requires that the tool can support the function of custom rules , Through custom rules, false positives and false negatives can be effectively reduced .【 About how to choose SAST You can refer to :https://blog.csdn.net/jimmyleeee/article/details/123953757】 Easy to understand is an important prerequisite for promoting tools , It is also important that tools can provide easy to understand instructions and solutions . In order to make it easier for developers to understand the principle of security problems and how to fix them , The product has relatively detailed repair guidance scheme and description , It's very important , Some product guidance documents are difficult to understand , It will make it more difficult to use , It also requires manual preparation of relevant materials for training .

AST After finding the problem , How to effectively promote the solution of problems is not a small challenge . Especially in the era of agile development , Each development team has its own project schedule , When security problems arise , How do they deal with ? If it can be found and solved in real time in the development stage , There is no such thing , however , If it is discovered later in the product or after the product is launched , When developing a new version, there will be conflicts when there are daily work arrangements , And the promotion of security issues also needs to develop and learn a new skill , That is how to solve the problem correctly ? This requires a mechanism to ensure the advancement of security issues . The scheme we have adopted is : Let each team have a person dedicated to docking security issues , And define this person's responsibilities within the organization , Provide relevant training , Improve his safety awareness and knowledge . When a project has security problems , First contact the person in charge , Clarify the context of the problem , Corresponding solutions are also provided for reference , Let him be responsible for promoting and solving problems within the team . This scheme really works well , however , One problem is that in companies with large turnover , People in this role may be more mobile , This data list needs to be maintained in time , meanwhile , New people come in , Be able to train in time 【 About the training , If you have online training materials , You can let new people learn by themselves , Plus regular meetings and exchanges , It can ensure everyone's safety awareness and knowledge , This needs to be tracked and recommended .】, In order to effectively promote . Of course, the rectification of a certain vulnerability type will be promoted uniformly within the company in the form of a project , It can also be tried , Because of the establishment of the project , We need to draw one person from each team to participate in the project , The right solution can be investigated in a unified way , You can also communicate and solve problems in time .

Sometimes a security problem is solved , It's a challenge , People who understand security may not know enough about the framework of the product , And developers don't know enough about security , Therefore, the solution of a problem cannot simply rely on some known public solutions , Developers and security personnel need to work together to negotiate a solution . The problems of some frameworks can be solved uniformly , It's best that the security team and developers can provide a common library for all teams to use . however , Need to find developers who are willing to cooperate , Or find competent security personnel who can handle this library , This requires higher requirements for safety personnel , First , Safety knowledge must be excellent , Fully communicate with all teams , The developed library takes into account some possibilities ; secondly , There must be sufficient development knowledge , Be able to understand the development and release process of the company's second-party Library ; Last , It also requires communication and negotiation among various teams , Promote the use of Library and follow-up and solution of later problems .

In order to solve the problem effectively , Need AST Tools can have bug Ability to track system integration , When AST When the tool finds a problem, it can automatically submit the problem to bug System tracking , Development only needs to be done in bug The system tracks all problems in one place , It can reduce the gap between the development team and the security team . Of course , In submission to bug Before the system , We need to ensure that the problem of false positives can be well solved , There is an improvement in the results of the review before the review is submitted , Can help reduce false positives . for example , Some tools scan , The problems found are in an initial state , When reviewed by others , Change the security issue to confirmation status , Then you can synchronize the problem to Bug Tracking system , Solve the problem of false positives . Automated scripts are based on the tools SDK perhaps API Synchronize problems to Bug System , You can improve efficiency .

AST In the research and development process, it is necessary to have , Because it can achieve the following goals :

  1. Reduce the number of vulnerabilities in products running online ;
  2. Find problems early in the product , Reduce the cost and risk of solving vulnerabilities ;

lately , The security community has emerged again Application Security Orchestration and Correlation(ASOC) Tools , It is an automated workflow to simplify vulnerability testing and repair , It combines data from multiple sources (SAST、IAST、DAST as well as SCA etc. ) To achieve test automation .ASOC The tool focuses and prioritizes what remedies to use by correlating and analyzing the problems found , It acts as the management layer between application development and security testing tools , Greatly improve the efficiency of vulnerability repair .

Sometimes in order to actively find safety problems in products , You can also enable the vulnerability reward program , Launch many security enthusiasts to help enterprises find problems on the product line . Benefit by mutual discussion , Of course, many problems can be found . However, it should also be noted that the residual of safety knowledge background of different personnel is uneven , The quality of vulnerabilities submitted is also many , Someone needs to filter it in time . Sometimes the discovery of some serious problems may be time-consuming , Maybe some people will try to get rewards by discovering a large number of low-level vulnerabilities . This low-level vulnerability may not have a direct impact on the system , But once the number increases in an instant , The burden of internal team emergency response will be heavy , Instead, it may affect the vulnerability response time of some severity levels . therefore , When publishing the vulnerability reward plan , It's best to be able to divide the general scope of vulnerability types , There is a clear definition of the severity of the vulnerability and the corresponding reward , Or in a certain period of time , Limit the type of vulnerability , Focus on finding problems in this way , To solve . People rewarded for participating in testing vulnerabilities , You may pay more attention to some interfaces that are easy to find problems and some vulnerability types that are easy to find ( for example :XSS), therefore , There is no way to guarantee the coverage of the test , You can't replace internal security testing with vulnerability reward , It's just a supplement .

All in all ,AST We should make full use of it in the development stage to find the security problems of the code and fix them in time ; In the pre release stage, targeted tests can be carried out according to the results of the previous stage , It's best to use different tools , In this way, different security problems can be found ; After product launch , Vulnerabilities in the configuration and use of components that need attention , Patch it in time . For open applications, whether self-developed or purchased , Several methods and tools must be combined to deeply detect , Prevent the system of untested code from being opened to the public .

版权声明
本文为[jimmyleeee]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204231557269479.html