Dynamic Application Security Testing (DAST) is an essential part of any application security program and is the frontline of defense. By continuously and automatically testing applications (in production and pre-production environments), organizations get an accurate window into the true risk surface of these applications.
DAST detects a wide variety of technical vulnerabilities including but not limited to the following:
WhiteHat Sentinel Dynamic rapidly and accurately identifies vulnerabilities in websites and web applications. This industry-leading dynamic application security platform strengthens website security and is ready to scale to meet any demand.
Static Application Security Testing (SAST)
Static Applications Security Testing (SAST) helps remediate critical code vulnerabilities earlier in the SDLC before they become security risks. By detecting and remediating vulnerabilities before the software is deployed, organizations can address high-risk issues earlier and reduce cost of AppSec remediation efforts.
SAST tools cover a variety of technical vulnerabilities including but not limited to the following:
WhiteHat SAST customers use integrated Software Composition Analysis (SCA), which makes it easier to find and identify out-of-date third-party libraries and platforms. Inline SCA scanning embedded with SAST can help educate developers about the internal dependencies of inherited and legacy projects and code.
Mobile Application Security Testing (MAST)
Mobile developers often fail to secure mobile binaries, which are often the source of vulnerabilities and data leakage. Mobile application security focuses on finding and remediating software security vulnerabilities before apps move into production.
Mobile Application Security Testing scrutinizes a wide variety of vulnerabilities and privacy concerns on client, server, and network interaction including, but not limited to, the following:
WhiteHat Sentinel Mobile is an industry-leading mobile application security testing solution that combines dynamic and static automated scanning and optional manual mobile application-layer penetration testing to produce safer mobile apps, faster.
API Security Testing
Application Programming Interface (APIs) is a set of protocols and tools for building application software allowing automation of common processes that interact with services. Most digital businesses rely on APIsto connect services and to transfer data. They are also the most common ways that microservices and containers communicate.
The increased usage and proliferation of sharing data has increased the surface area of attack making APIs the fastest growing attack targets.Unprotected APIs can lead to direct access to sensitive customer data and intellectual property openingdoors to data breaches for otherwise secure and tested applications. Building an effective API security strategy is essential to identify and prevent API attacks.
API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). Implementing API security testing is critical to prevent well-known attacks such as cross-site scripting (XSS) and SQL injections.
Level 1: Risk discovery and management
A phased approach to implementing appsec into the SDLC and monitoring the right set of metrics results in a sustainable and scalable approach to implementing app security within. Incorporate DAST to discover risk and use the application security statistics such as ‘window of exposure’ and ‘time to fix by risk’ as key performance indicators to measure the success of your appsec program over time.
Level 2: Release Assurance
Aim to ensure that a new release candidate does not add additional risk compared to the application’s current release. Additionally, the organization must aim to ensure that remediation activities have been successful in reducing the application’s risk profile. Integrate DAST and SAST into your software development lifecycle and leverage the application security statistics such as 'average time to fix' and 'vulnerability likelihood by class (SAST)' to baseline your organization's 'Release Assurance' strategy.
Level 3: Developer Enablement
Educate and empower developers throughput the SDLC and add AppSec tools to the developer workspace. Organizations must aim to reduce the number of vulnerabilities developers might be introducing into the release pipeline by bringing assessment and education into their workspace. Developers must be provided with application security tools that can be run in the developer’s own sandbox to eliminate security issues before they are committed to version control or the release pipeline.