‍Roberto Velasco
August 19, 2019

Modern DevSecOps Toolchain: Role of an IAST

Adding automation to accelerate the shipment of code is one of the goals of the DevOps movement. However, this speed means less time to validate the security of your applications, APIs, and microservices. Classic Application Security Testing (AST) tools, such as Dynamic AST (black box runtime application scanners ) and Static AST (white box analyzers that review the source code) have a place under certain conditions, but they are not an ideal fit to modern DevSecOps toolchains.

We believe that modern DevSecOps practices demand a different security testing approach. Adoption of automated deployment and delivery pipelines (CI/CD) means that the system can’t wait for code scans to finish; even worse, waiting for the review of the vulnerability results. Moreover, most teams do not have the luxury of having security experts, which means that interpreting the results of attack tools such as DAST is tricky. Meanwhile, quick development cycles require teams to focus on high-value vulnerabilities first. Lastly, ASTs have issues accessing compiled code, such as third-party libraries.

How IASTs adds the Sec to the DevOps

Interactive Application Security Testing tools (IAST or Interactive AST) are a modern class of security detection tools that help teams finding vulnerabilities in the applications before they are exploited. Interactive ASTs combine Static and Dynamic techniques: source code visibility through the bytecode and runtime request visibility. This combination of static white box and dynamic black-box techniques provides an ideal platform to conduct security testing that provides high-value tangible benefits to teams adopting IASTs:

1. Higher accuracy:

According to the results of the OWASP Benchmark, an independent scientific test designed specifically to measure the accuracy of security testing tools, the accuracy of IAST tools beats the results obtained by classic AST and DAST tools. Vulnerability triage is essentially eliminated as there are no false positives.

2. Share security awareness culture through the SDLC:

IASTs bring value to many teams throughout the SDLC because they present strong use cases for developers, QA (staging), and production-operations environments. The same tool can be leveraged by multiple groups inside the organization, which creates a shared security awareness culture. The same language for all the teams, not only the dynamic (URL and parameter) or the static (file and line), full visibility including both kinds of data.

3. Real-time detection of vulnerabilities:

There is no need to wait for lengthy scans to finish because the IAST results are available in real-time by just browsing the application --there is no need to attack the application, either. Having continuous runtime vulnerability detection of vulnerabilities is great, but it is particularly relevant to modern DevSecOps toolchains. DAST solutions delays are eliminated since vulnerabilities are detected in real-time.

4. Actionable feedback:

The vulnerability details provided by IASTs, including vulnerability severity and the affected source code file and line number, provide immediate actionable feedback, which helps developers fixing the bugs quickly and efficiently. Other ASTs such as Dynamic ASTs are not able to provide any information about the vulnerability, and the developer must spend time to validate and triage the code.

5. Find vulnerabilities in third-party components:

Modern software development includes more and more external code in the shape of open source components and other third-party libraries. IASTs look for vulnerabilities in the external code as well, even if the source code is not available because it has been previously compiled.

6. Improves time-to-market without compromising the security

One of the main goals of modern DevSecOps toolchains is to accelerate the time-to-market while producing secure applications. As a consequence of all the points described above, one of the main strategic advantages of adopting IASTs is that security testing is intertwined with the development and QA phases. This contributes to faster release cycles with fewer security bugs.

Why IASTs fit in a modern DevSecOps toolchain

Modern Agile and DevSecOps methodologies reap many benefits to software development teams. At the same time, they impose new requirements on the application security toolchains. We believe that IASTs bridge this gap by providing:Security toolchain automation: effective automation is a key need in DevOps. IASTs such as Hdiv Detection can add security intelligence to your modern DevSecOps toolchain by, for instance, stopping your CI/CD tool -such as Jenkins- from deploying insecure applications.

Feedback loops: Help developers build secure applications, as they code. Provide vulnerability intelligence to your developers from every stage of the SDLC, including vulnerabilities found within the QA and Production environments. By pushing left this vulnerability information, application security awareness increases throughout the entire organization and creates a culture of improvement towards perfection.

Bug management integration: use the same tools that your developers already love, such as Jira and Asana, to maintain security bug information. Focus on fixing high-risk security bugs first by integrating your IAST with Orchestron, because accelerated releases of code mean that it is next to impossible to fix all vulnerabilities. Intelligent vulnerability management and prioritization do not have to be a dark art.

Efficient security bug triage: IASTs are known for a very small number of false positives. This removes the time that developers waste chasing reported vulnerabilities that are not.

The Hdiv + we45 recipe to a modern DevSecOps toolchain

As an application security vendor, we at Hdiv advice countless teams adopting DevSecOps best practices. Over the years, we have distilled our key advice to the following shortlist of four basic recommendations to build a modern DevSecOps practice:

  • First of all, write application security requirements according to the OWASP ASVS guidelines, to push security left
  • Then, leverage detection tools such as Hdiv Detection IAST through the SDLC, to fix security bugs early in the development cycle
  • Also, conduct software architecture review sessions with application security subject matter experts such as the we45 threat modeling services team
  • Lastly, perform Pen-Testing activities, with experienced teams such as we45 to find and correct design flaws

We thank we45 for this opportunity to contribute to The Fortitude, and we look forward to working together hand in hand in many application security projects.

About the Author:

Roberto Velasco is the CEO of Hdiv Security, a VC-backed application security company offering a vulnerability detection product based on IAST technology, and a protection product based on RASP technology that prevents exploitation of security bugs and design flaws and business logic flaws. Hdiv Detection IAST is fully compatible with we45 Orchestron. Hdiv Security and we45 have been official partners since early 2018.