Monday, April 23, 2018

Application Security Testing (the Wild West perspective)

Imagine running a bank in a small town. A small town in the Old Wild West. Gangs roam freely. Many people are poor and desperate. Law and enforcement exists, but is open for individual interpretation. Many crimes go unpunished. And you keep all the bank's money in the safe. Every night you try to sleep and not think about your safe - is someone trying to pry or blow it open at the very moment?

Now... imagine you want to make that safe more secure. Would you pay a bunch of thugs to crack it open by force and blow it up? Or would you prefer to pay a group of highly skilled engineers to disassemble it to pieces and carefully examine each one and explain how to fix all the weakness they find?

The Internet of today still functions much as the old Wild West - many laws that try to enforce order are either too broad or vary significantly from country to country. Not many law enforcement officials to be found. And there are a lot of people that roam around trying to gain some profit even if it means breaking the law.

Your applications and infrastructure is your secure safe. At least it should be secure. You can not be sure unless someone examines it thoroughly and helps you find and fix all the vulnerabilities before the bad guys do. Doing the examination of a running application is called DAST (Dynamic Application Security Testing). DAST is the equivalent of roughly shaking the safe, beating it with a large club, proceeding to cut it with a blowtorch, and finishing up with a bunch of explosives. It has it's own purpose and advantages, but will never be able to discover some of the weaknesses the careful disassembly and examination would. To check your applications in a thorough way you need to analyze it's source code. The best method to do it is called SAST (Static Application Security Testing).

To perform the static testing, you can employ two methods:

  1. Team(s) of highly skilled security professionals going through your source code line by line and trying to spot weaknesses
  2. Find some way to automate the procedure and have people only examine and verify the results


The first method (manual code review) gives best results if the team is skilled enough and has enough time to do it. Experienced security professionals are hard to find (read: not cheap) and time it takes to manually go through even medium application can take the whole team of people many months or years. Because of huge costs and time it takes, manual code review is seldom employed for anything but the applications of utmost importance.

Way to go is to automate the procedure and employ the help of your own computer to read and understand the source code. And notify you if there are any security vulnerabilities in there. That way you can check your code while still in early stages of development and spot the issues early enough. And avoid the costs of having to do a major redesign later on. If using automated tools, you can make a policy that says: "Every new version of the application that goes into production must go through the security review". That way you can sleep peacefully knowing that the latest deploy did not just open up a huge hole right in the middle of your application. A hole that you might hear about in the morning news while sipping your coffee. Might not be the way you want to make a debut for yourself and your company.

The question remains - if the source code review is so costly and time consuming, how can anyone afford doing it even once, let alone do regular checks every time something is changed or added? There are not many solutions and tools that help you, but we can assure you ours is one of the best there is. We call it ThunderScan. Almost 10 years in development, it grew to become one of the best and cost effective tools out there. Maybe even the best - we will let you decide.

We tried to find a way to compare it to the best tools there are. The most objective and acclaimed way to do it was to apply for the OWASP Benchmark Project. The OWASP Foundation one of the top authorities in IT security. Their Benchmark allowed us to examine the score of our SAST tool (ThunderScan) to the best tools in the world. And our results were impressive - we managed to find way more vulnerabilities than any other commercial tool.

We encourage you to try our tool yourself and make your own opinion. You can grab a free trial by clicking HERE. No credit card required. Really free of charge. Let us know how you like it by contacting us at defensecode@defensecode.com

Kind regards,

DefenseCode team

P.S.
We mentioned we also excel in the cost-performance. Well... That was not the whole truth. Although we do offer highest quality we do not charge highest prices. On the contrary - our prices are only a fraction of prices of the other top of the line tools, and we are so proud of it we made them public. You can check them out HERE

11 comments:

  1. Thanks for your guidance. It is really great effort. Keep Share more useful information.

    Dot Net Training in Chennai
    Dot Net Training Institute in Chennai

    ReplyDelete
  2. Thank you for sharing wonderful information with us to get some idea about that content. check it once through

    AWS Training in chennai | AWS Training institute in velachery

    ReplyDelete
  3. Thanks for sharing this in here. You are running a great blog, keep up this good work.
    Best Hadoop training in velachery

    ReplyDelete
  4. Packing and unpacking is part and parcel of moving goods. Through our vendors you could get professional packing for the wide range of items for your home and office.
    packers and movers thrissur
    packers and movers in belgaum
    packers and movers kharagpur
    packers & movers in nagpur
    packers and movers btm layout

    ReplyDelete
  5. It is common to find ourselves in situation where the dates to vacate your facilityis predetermined and you are not ready yet to move into the would-be facility. The situation may apply to both – home as well as office. In such situations, you could opt for our storage and warehousing services.
    Packers and Movers in Bangalore
    Packers and Movers in Pune
    Packers and Movers in Mumbai
    Packers and Movers in Hyderabad
    Packers and Movers in Delhi
    packers and movers in panchkula
    Packers and Movers in Kolkata
    Packers and Movers in Chennai

    ReplyDelete
  6. خدمات مكافحة الحشرات
    لذلك تحرص شركتنا كأفضل الشركات الموجودة فى الرياض على التخلص من جميع الأفات الشرسه مثلا الفئران وغيرها من القوارض التى من الممكن ان تكون سبب فى تدمير اغراض اى منزل او قد تسبب بعض الامراض اونقلها.
    افضل شركة رش دفان بالرياض
    شركة مكافحة حشرات بالرياض
    شركة مكافحة النمل الابيض بالرياض
    شركة مكافحة الصراصير بالرياض
    شركة مكافحة الفئران بالرياض
    شركة مكافحة الحمام بالرياض

    ReplyDelete
  7. Great blog, Its really give such wonderful information, that was very useful for me. Thanks for sharing with us.

    Dot Net Training in Chennai

    ReplyDelete