Tuesday, November 19, 2013

Why Combine Static Code Analysis with Manual Pen Testing?

As company culture becomes more security focused, the company eventually decides to perform a penetration test against their application assets. As a consultant, I'm often asked to provide a broken down cost for "big rocks" in the process. Companies today are thinking quite narrowly--they want a penetration test when really the goal is to assess their application. My challenge has been to demonstrate the value of the full application assessment and help companies get beyond the pen test requirement.

What's an app assessment? Well, it's a mix of white- and black-box activities which result in fact-based risk decision making. There are generally five components to an application assessment:
1. Application review: what are the goals, business needs for an application, what kinds of data are stored in the app, what are the technologies behind the app?
2. OWASP ASVS: this tool captures key security decisions implemented in the application. It's an exhaustive form (level 3, which is usually applicable to healthcare and other sensitive applications, contains over 150 validation points).
3. Static code analysis: automated review of application source code. At Caliber, we are big fans of our partners at Checkmarx SCA. I'll blog on "2nd gen" SCA tools sometime. The key here is that SCA can generally find more vulnerabilities in certain categories faster than I can do it manually. For instance, XSS or SQLi vulnerabilities. These generally need to tested for one control at a time, with at times multiple permutations of inout text. Manually or even with dynamic application analysis, this can take days. Automated tools accomplish this in minutes or hours.
4. Manual penetration test: this is the traditional pen test activity everyone thinks about. With SCA involved earlier, I can spot check validity of results, and focus my efforts on topics like session management, authentication and business logic.
5. Analysis: data from each phase is assembled into a report, from which it can be assessed and prioritized.

Just pen testing alone *does* mimic what an attacker will do, with one significant difference: a paid pen test functions under time constraints. A determined attacker will take days or even weeks to profile and attack an application. This is one of the reasons why performing all 5 steps in an app assessment is beneficial: white-box assessments get to the same vulnerabilities, more quickly.

When it's time to do security on your web and mobile apps, don't just request a pen test. Go for the full assessment--sure it might cost a bit more, but you and I will both sleep better knowing you are more secure!