Today, 85% of security attacks target software applications, according to SAP. Not surprisingly, an array of application security testing tools are available to help companies address security risks, and they vary in both approach and coverage. This guide to SAST and SCA discusses how these two types of application security solutions can help you address different risks.
In a world that runs on software, organizations face a challenge: Writing good software is hard. As software becomes increasingly complex, ensuring that it is reliable and secure becomes more difficult. Opportunities to make mistakes abound, whether for purchased software, proprietary software, or software delivered as a service—and particularly for open source software. The benefits of open source benefits are clear: faster time to market, greater opportunities to innovate, lower development costs, and access to a global community of developers. But organizations often overlook the security and risk management challenges related to open source use.
Security weaknesses, such as those listed in the OWASP Top 10 and the 2019 CWE Top 25, are introduced into proprietary code by developers. Among the most well-known weaknesses are SQL injection, broken authentication and session management, and cross-site scripting. Static application security testing (SAST) can detect common types of weaknesses by examining the code itself, as developers are writing the code and at commit, build, and testing.
Open source vulnerabilities, such as those listed in the National Vulnerability Database (NVD), are introduced through the use of open source components in a codebase. Open source is no more or less secure than commercial software, but organizations that lack visibility into the open source they use cannot effectively mitigate and remediate open source vulnerabilities. And the number of open source vulnerabilities is growing; the NVD reported more than 16,000 new open source vulnerabilities in 2018 alone. Software composition analysis (SCA) focuses on identifying the open source in a codebase so teams can manage their exposure to security and license compliance issues.
Organizations employ a variety of methods to combat software vulnerabilities, but time is the enemy. While the “time to compromise” of a breach is most often days or minutes, it can take months to remediate the vulnerability that allowed the breach.
Open source vulnerabilities pose additional security risks. Open source is accessible and used everywhere. This fact is not lost on hackers, who can access publicly available information on known open source vulnerabilities along with detailed information on how to exploit them. For example, as soon as a vulnerability is reported, the open source community often also publishes a means to exploit it.
Application security challenges are diverse, so what’s the best way to address them? An effective approach to addressing software vulnerabilities must include security testing tools to find both weaknesses in proprietary code (with SAST) and vulnerabilities in open source code (with SCA).
A software security program that contains both SAST and SCA is more comprehensive. Organizations that adopt such an approach get results:
Let’s look more closely at these essential application security testing tools.
SAST inspects an application’s source code to pinpoint possible security weaknesses. Sometimes called white box testing (because the source code is available and transparent), SAST comes into play early in the software development life cycle (SDLC), when fixing problems is both easier and less expensive. SAST is effective at finding many of the common weaknesses mentioned earlier, such as cross-site scripting, SQL injection, and buffer overflow.
SCA identifies all the open source in a codebase and maps that inventory to a list of current known vulnerabilities. Entry-level solutions simply collect information about the open source that is declared (e.g., libraries) and compare it to the NVD. More advanced solutions use sophisticated source and binary file scanning to ensure that they identify all open source, including code snippets copied from known sources. They also augment NVD data with other vulnerability information to provide more complete and timely reporting. Leading SCA solutions provide ongoing monitoring and alerts for vulnerabilities reported after an application deploys.
Application security is evolving rapidly, thanks in large part to the proliferation of open source code. With its clear benefits, open source is the foundation of modern application development. Therefore, an application security testing approach that includes only SAST and focuses only on proprietary code can leave significant vulnerability identification and management gaps.
SCA completes the picture, providing automatic identification and inventorying of open source software, mapping components to known vulnerabilities, and streamlining and securing CI/CD activities. An approach incorporating both SAST and SCA supports a comprehensive and in-depth assessment of security across the entire application landscape.