About Development security, we could always more hearing about the SAST VS DAST. Those tools will definitely help us doing the code review and found vulnerability at early stages. In terms of cost-effectiveness, allocating developer resources to fix vulnerabilities proves to be significantly more efficient. Therefore what is the differences and how they are position in the development process.
SAST — Static application security testing
1.SAST as Static application security testing and Source Code Analysis Tools, such as Bandit, Semgrep, PyCharm Security¹. Those open sources tools would be more related the python code base. SAST would be more concern about the source code analysis, and review the code if there have any misconfiguration, controllable parameter.
Differences : White-Box, Source Code Analysis.
One use case of SAST is Semgrep. Getting started with Semgrep enables users to begin exploring its capabilities and benefits².
i) install Semgrep
#Install semgrep
python3 -m pip install semgrep
#semgrep version check
semgrep --version
1.64.0
#Sign up or log in to Semgrep Cloud Platform (SCP):
semgrep login
#Help manual
semgrep --help
Usage: semgrep [OPTIONS] COMMAND [ARGS]...
To get started quickly, run `semgrep scan --config auto`
Run `semgrep SUBCOMMAND --help` for more information on each subcommand
If no subcommand is passed, will run `scan` subcommand by default
Options:
-h, --help Show this message and exit.
Commands:
ci The recommended way to run semgrep in CI
install-semgrep-pro Install the Semgrep Pro Engine
login Obtain and save credentials for semgrep.dev
logout Remove locally stored credentials to semgrep.dev
lsp Start the Semgrep LSP server (useful for IDEs)
publish Upload rule to semgrep.dev
scan Run semgrep rules on files
show Show various information about Semgrepii) Scan code with the project, direct to the target scan folder and run “semgrep ci” to start the static code scan.
iii) After code scan completed, the success screen will pop up and show you 2 link in semgrep cloud platform to get a code scan report result.
┌──────────────┐
│ Scan Summary │
└──────────────┘
Some files were skipped or only partially analyzed.
Scan was limited to files tracked by git.
Partially scanned: 44 files only partially analyzed due to parsing or internal Semgrep errors
Scan skipped: 71 files matching --exclude patterns, 1 files larger than 1.0 MB
For a full list of skipped files, run semgrep with the --verbose flag.
CI scan completed successfully.
Found 1673 findings (0 blocking) from 32713 rules.
Uploading scan results
Finalizing scan
View results in Semgrep Cloud Platform:
https://semgrep.dev/orgs/tony-fu-personal-org/findings?repo=local_scan/Git&ref=main
https://semgrep.dev/orgs/tony-fu-personal-org/supply-chain
No blocking findings so exiting with code 0Please note that the correct command to use with Semgrep for exporting the results as JSON in the currently scanned folder is: ‘semgrep cisemgrep --config auto --output scan_results.json --json’. Moreover, Semgrep offers an visibility GUI dashboard for vulnerability management, facilitating easier navigation and oversight.
DAST — Dynamic Application Security Testing
2. DAST as Dynamic Application Security Testing, such as ZAP, OWASP PurpleTeam, Arachni³. Also we could also take some experiment on other enterprise application scanner tools like Akto³.
Differences : Black-Box, Running Application, Run time vulnerability can be detect.
Let’s discuss Akto and how the tool is applied on DAST. Understanding DAST is simplified when you consider its target audience. Essentially, the target for DAST encompasses applications hosted behind a domain or internal web servers.
i) Clicking on the Dashboard provides a summary of the APIs discovered on the target. Additionally, it outlines the types of sensitive data found, such as email addresses and JWT tokens, offering a descriptive breakdown.
ii) Click on Testing -> Result, we could uncover most of vulnerability from API requests to various endpoints, the one we can more dip in would be the “FTP credentials exposure”.
iii) While we dip into the API request, the vulnerability is about obtaining the FTP sync setting. the vulnerability hits FTP unauthorizes access that mentioned the impacts of "Exposing FTP credentials enables attackers to gain unauthorized access to FTP servers, leading to potential data breaches, unauthorized modifications, and risks to connected systems." The API response we received indicates that the permission level for retrieving files/directory is set to 0755, granting read and execute permissions to all users for the FTP directory. However, this configuration may pose a security risk in the given scenario.
IAST — Interactive Application Security Testing
3. IAST as Interactive Application Security Testing, such as Contrast security, HCL AppScan and Newrelic. One advantage of using IAST is its applicability to running applications, offering code advice that combines the strengths of both SAST and DAST.
Differences : Running Application, Source code analysis.
There have an example that we could have a quick look about how differences with SAST and DAST. The IAST will most require you install a agent on the dev server which hosts the application. Then the tools would able to find the vulnerability on running application and also give more accurate advice as its has agent installed on it. Let’s take a look at Newrelic⁴.
The lab below we had pre-installed Node.js, and please confirm your versions is up to date to avoid the error occurs. Such as the error “Error: Cannot find module ‘fs/promises’” because the module only available after v14⁵.
i) Search IAST in All Capabilities for setting up the IAST.
ii) Follow the instruction add config into your app to install the Node.js agent.
iii) newrelic.js configuration and move to your application root directory.
Please refer to the Node.js agent installation guide⁶, then put newrelic.js in the root directory.
further look the parameter in newrelic.js. we could replace the app_name and license_key for connect to your account. app_name could be any that you like, the license key is generally obtained by following the procedure that earlier.
The security config is like a switch enable or disable for monitoring your application.
Finally, run the command “node -r newrelic .\index.js”. Then the application will be running and got monitoring.
iv) Result Review
The overview of Newrelic indicates that the monitor application appears to be secure.
When we click into the the “IAST for NodeJS App”, we could also get more detail. IAST analysis coverage would describes the APIs, Methods that the application is provides.
Such as API detail, there have 4 APIs have been tested and also have potential exposure for SOC analysis, enhancing product security visibility. And tested methods would appear the full path where the file is and what potential exposure might hits the vulnerability, which can significantly save time.
Therefore, that would a little bit different between these three development security tools. It can indeed be challenging to select the most suitable one for various enterprise use cases. However we could base on “factor” to consider. Hope you had a nice exprience with these development security tools in the future.
Reference
#1, Free for Open Source Application Security Tools — https://owasp.org/www-community/Free_for_Open_Source_Application_Security_Tools
#2, Getting started with Semgrep, https://semgrep.dev/docs/getting-started/
#3, Akto - https://www.akto.io
#4, Newrelic - https://newrelic.com
#5, Node.js - https://nodejs.org/docs/latest-v14.x/api/fs.html
#6, Newrelic Node.js agent installation gudie - https://docs.newrelic.com/docs/apm/agents/nodejs-agent/installation-configuration/install-nodejs-agent/
