We’re excited to bring Transform 2022 back to life on July 19th and virtually July 20-28. Join AI and data leaders for sensible conversations and exciting networking opportunities. Register today!
Modern applications are increasingly large and complex and so attention should be paid to increasingly modern tools to keep them safe.
Developers and security experts have relied on two main categories of tools to protect their applications and data from intruders. The first is Static Application Security Testing (SAST) and the second is Software Composition Analysis (SCA). These two types of tools have different goals – SAST for in-house developed code testing and SCA for managing imported open-source components. Ideally, application developers would use both to cover both of these areas for potential security vulnerabilities, but as we will see, it was much easier than it was until recently.
SAST is a well-established security approach, with dozens of tools to choose from. It scans the application source code or byte code for known software vulnerabilities – vulnerabilities that may allow an attacker to gain access. These tools automatically cover all possible paths and events that may contain the application and detect bugs that the developers may not have known about, along with what they were looking for.
However, SAST tools have some downsides. They have a reputation for being slow, producing false positives and being rude to use. Ultimately, their creators will have to compromise between how long it takes to run a test, how thorough the test is, and the number of false positives that are considered acceptable. Of course, none of these compromises are desirable, but historically, app developers have had to choose at least one.
Dependence also needs attention
Where SCA comes from helps reduce the risks that are outside the developer’s source code. Recent Log4Shell vulnerabilities have brought to the fore the potential impact of attacks against third-party and open-source software packages that are used as an underlying building block under proprietary applications.
Hundreds of modern software applications rely on open source packages, which are described as dependencies. This dependence then relies on other open-source packages that developers may not even be aware of, called transitive dependency. Open source packages are available to cover thousands of operations and functions otherwise developers will need to code for themselves: and there is no point in rediscovering the wheel. Thus, it should come as no surprise that 98% of applications have open-source software, and over 75% of the code in a given application will be open source.
Unfortunately, the rigor and extent to which open-source packages are tested for security vulnerabilities can be very variable, especially with many packages that are no longer actively maintained. Many packages have multiple variants and older versions remain in active circulation.
SCA Testing specializes in this domain, scans applications for their dependencies and infected dependencies, and correlates these vulnerabilities with databases to understand where risks and security vulnerabilities are inherited from code taken from outside the organization. Ideally, it will identify the type and severity of vulnerabilities found and advise on improvements and solutions. The SCA also helps organizations cover their legal risks by identifying the licenses contained with the packages and any liabilities or obligations that may arise.
Both SAST and SCA have a really important role to play in the software development life cycle. Combining the two, developers can get a holistic view of the security of their application: SAST to test your source code to detect security vulnerabilities; And SCA as an application security mechanism for the management of open-source components.
Unfortunately, however, many SCA tools, such as SAST tools, have a reputation for being difficult to integrate and for creating a large number of false positives. Perhaps, as a result, adoption remains low, with only 38% of organizations reporting the use of open-source security controls. And so combining the two approaches has received very little favor in the development community. While their shortcomings can be annoying to themselves, doubling the time required for testing and excluding double results for false positive results has generated a bit of hunger. But modern development has seen the arrival of new tools that overcome these objections and improve both safety and speed.
What to look out for in SAST and SCA
In modern software development pipelines, which fully accept CI / CD and devops, waiting a day for tests to be completed and then fixing a number of shortcomings is not the only option. Development teams can make hundreds of changes every day. To manage this, they need to be able to manually check the security as code, powered by tools which means they don’t have to learn to specialize in a sudden, specific domain.
SAST and SCA tools need to be, first and foremost, developer-friendly, adapting to the workflow and tools used by developers, rather than pushing for new tools to turn anything around. DevSecOps workflow means developers try their best to make sure the code is secure as it is being written, not as a separate, next step that creates delays and sees the code constantly passing back and forth between development and security teams. .
Second, in today’s software environment, two sets of tools, while serving different purposes, are similar to empowering developers to take the lead in application security, as code is created and edited. Therefore, to reduce the number of steps, to reduce the learning curve and the required complexity, there is a significant advantage in integrating the two tools in some way, running them together or in the facility within the same tool.
Finally, the testing software needs to be cloud-based and code optimized so that it does not delay for the developer. The fast-paced, continuous nature of the modern software development world requires tools that work at the same pace. Transactions and tools that were historically common, while software releases were coming at a more gradual pace, are thankfully disappearing and both quality and selection are now available because this is the reward. However, security cannot be compromised as a result, and so it is imperative to choose the right tools for the purpose in today’s situation.
Daniel Berman is the product marketing director at Snyk.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including tech people working on data, can share data-related insights and innovations.
If you would like to read about the latest ideas and latest information, best practices and the future of data and data tech, join us at DataDecisionMakers.
You might even consider contributing to your own article!
Read more from DataDecisionMakers