Put Your AppSec Program in the Fast Lanes with the New NIST Standards for Security Testing.
DevOps is fast. Security is slow. That is about to change for enterprises willing to adopt the new standards outlined by NIST for Developer Security Testing. Enterprises who are looking to modernize their AppSec program can use these recommendations to raise the bar of their security testing program. Key NIST recommendations for developer software verification testing include:
- Threat modeling to look for design-level security issues
- Automated testing for consistency and to minimize human effort
- Static code scanning to look for top bugs
- Heuristic tools to look for possible hardcoded secrets
- Use of built-in checks and protections a
- “Black box” test cases
- Code-based structural test cases
- Historical test cases
- Fuzzing (a software testing technique that inputs massive amounts of random data to the test subject to make it crash)
- Web app scanners, if applicable
- Check included software components.
Threat Modelling is fast becoming a table stake requirement for building secure applications. Do you need to threat model every element of your system? Understand your thresholds for acceptable risks and then focus & prioritize on the critical risks.
A vast majority of software built today use open-source components. But open-source packages can have serious vulnerabilities that have not been patched. A Software Composition Analysis (SCA) tool can help in identifying open-source libraries, underlying components, and their dependencies. It can identity the high priority vulnerabilities residing in the open-source libraries that need to be remediated.
Modern programming languages have built in protection mechanisms that preclude certain vulnerabilities, warn about poorly written or insecure code, or protect programs during execution. Flags & options are available to activate the protections. Developers must be encouraged to use these checks & protections as much possible
Security Essentials Toolkit
Here is a summary of some of the established tools that are widely used in the industry for security testing:
|Fuzzing Tools||American Fuzzy, Radamsa, Honggfuzz, Libfuzzer, Peach Tech Peach Fuzzer|
|Web Application Scanners||Accunetix, Appscan, Zed Attack Proxy (ZAP), Grabber, Vega, W3af,|
|SAST/DAST Tools||Veracode, CheckMarx, SonarQube, Fortify, AppScan, Rapid7|
|SCA Tools||Black Duck, OWASP Dependency Check, Whitehat Sentinel, JFrog Xray|
|Threat Modelling Tools||Microsoft Threat Modelling Tool, OWASP Threat Dragon|
Track Vulnerabilities Databases
Security community regularly updates lists of most common vulnerabilities detected which can be used to track & remediate critical vulnerabilities. The curated popular lists include:
b) OWASP Top 10 for Web, OWASP Mobile Top 10 & OWASP API Top 10
c) SANS Top 25 Most Dangerous Software errors
Last but not the least build a common baseline knowledge of security in the organization with developer centric security training. This will go a long way in shifting security left and reduce friction between development & overworked security teams.