Latest Insights From CyberLabs

Put Your AppSec Program in the Fast Lanes with the New NIST Standards for Security Testing.

Spread the love
Read Time 2 minutes

DevOps is fast. Security is slow. That is about to change for enterprises willing to adopt the new standards outlined by NIST for Developer Security Testing. Enterprises who are looking to modernize their AppSec program can use these recommendations to raise the bar of their security testing program. Key NIST recommendations for developer software verification testing include:

  • Threat modeling to look for design-level security issues
  • Automated testing for consistency and to minimize human effort
  • Static code scanning to look for top bugs
  • Heuristic tools to look for possible hardcoded secrets
  • Use of built-in checks and protections a
  • “Black box” test cases
  • Code-based structural test cases
  • Historical test cases
  • Fuzzing (a software testing technique that inputs massive amounts of random data to the test subject to make it crash)
  • Web app scanners, if applicable
  • Check included software components.

Threat Modelling is fast becoming a table stake requirement for building secure applications. Do you need to threat model every element of your system? Understand your thresholds for acceptable risks and then focus & prioritize on the critical risks.

A vast majority of software built today use open-source components. But open-source packages can have serious vulnerabilities that have not been patched. A Software Composition Analysis (SCA) tool can help in identifying open-source libraries, underlying components, and their dependencies. It can identity the high priority vulnerabilities residing in the open-source libraries that need to be remediated.

While Open-Source rules, beware of the vulnerabilities hiding in plain sight.

Modern programming languages have built in protection mechanisms that preclude certain vulnerabilities, warn about poorly written or insecure code, or protect programs during execution. Flags & options are available to activate the protections. Developers must be encouraged to use these checks & protections as much possible

Security Essentials Toolkit

Here is a summary of some of the established tools that are widely used in the industry for security testing:

Fuzzing ToolsAmerican Fuzzy, Radamsa, Honggfuzz, Libfuzzer, Peach Tech Peach Fuzzer
Web Application ScannersAccunetix, Appscan, Zed Attack Proxy (ZAP), Grabber, Vega, W3af,
SAST/DAST ToolsVeracode, CheckMarx, SonarQube, Fortify, AppScan, Rapid7
SCA ToolsBlack Duck, OWASP Dependency Check, Whitehat Sentinel, JFrog Xray
Threat Modelling ToolsMicrosoft Threat Modelling Tool, OWASP Threat Dragon

Track Vulnerabilities Databases

Security community regularly updates lists of most common vulnerabilities detected which can be used to track & remediate critical vulnerabilities. The curated popular lists include:

a) Common Vulnerability Enumeration (CWE) database
b) OWASP Top 10 for Web, OWASP Mobile Top 10 & OWASP API Top 10
c) SANS Top 25 Most Dangerous Software errors

Last but not the least build a common baseline knowledge of security in the organization with developer centric security training. This will go a long way in shifting security left and reduce friction between development & overworked security teams.

No Comment


    Post A Comment