Category Archives: Gartner

Bullet-Train-Velocity

Dynamic Application Security Testing (DAST) is Anything but Static

5 Things A Modern Scanner Must Have

Dynamic Application Security Testing (DAST) solutions have been around for over a decade, so you might think the market is static. But, that’s hardly the case. Web applications and malicious hackers continue to evolve and DAST solutions need to keep pace. According to Gartner, DAST technology analyzes applications in their running state (in real or “almost” real life) during operation or testing phases. It simulates attacks against a Web application, analyzes application reactions and, thus, determines whether it is vulnerable. [Gartner Magic Quadrant for Application Security Testing, Neil MacDonald, Joseph Feiman, July 2014]

Visit this NT OBJECTives’ Gartner resource center to review some of the latest research on DAST technology.

  1. Ability to Test Web 2.0 (AJAX), Web Services, and Mobile
    Applications have evolved to be very complex and transactional – leveraging web services, mobile components and complex workflows like shopping carts. These applications are built with new technologies like HTML5 that delivers the rich clients that today’s consumers expect and REST interfaces used by AJAX. These REST interfaces also power most mobile apps, and business to business API’s. It’s critical that today’s scanners understand these new technologies.If a dynamic application security scanner hasn’t been modernized to understand these new technologies, it’s almost certainly completely skipping that area of the application leaving it untested or requiring that entire section to tested by hand. Most of the pen testers I know already have their hands full testing advanced business logic and other hard to reach areas. DAST solutions should be automatically covering as much of these applications as possible.
  2. Continuous Integration API’s to Support the SDL
    Most of the global enterprises we work with require extensibility to enable them to drive security earlier into the software development lifecycle (SDL) and to connect with existing and home grown tools. Many organizations are integrating their DAST solutions into their Continuous Integration solutions (HudsonJenkins, etc) to ensure security testing is conducting easily and automatically before the application goes into production. This requires a dynamic application security scanner that works well in “point and shoot” mode and offers open API’s for running scans. Ask your vendor how their scanner would fit into your CI environment.
  3. DEV/QA Integration and Flexible Training Options
    Security teams are collaborating with development and QA teams to leverage the test automation tools & scripts such as Selenium to create repeatable security tests that can be executed in conjunction with nightly application builds. This is an excellent way to build security into the process from the beginning with very little additional effort. Talk to your DAST scanning vendor about how their integration with Selenium and other automation tools works.
  4. Enterprise Reporting for Metrics
    Enterprise reporting means different things to different people, so one of the key features a solution should have is flexibility with open access to raw data for custom analytics. You want to make sure that your vendor does not hide the data in any way, and preferably makes it readily available with standard database query option.
  5. Point and Shoot High Quality Results
    This one is critical! Your dynamic application security scanner must do everything possible on its own to comprehensively crawl the application and then attack it. Of course training can help, but the problem is that organizations often have too many applications and the security team rarely has the time or knowledge of each application to ever possibly be able to train the scanner for them. Additionally that human time could be better spent by the security team to test things that automation cannot, such as privilege escalation and cross-account data leakage.

Ask your DAST vendor if their scanner requires training in order to understand your complex applications, and then test them for yourself.

1.7 Automation Reduces Man Hours

Application Security Scanning Today – Big Organizations, Big Challenges

IT security teams in global enterprises face significant challenges in application security scanning that create the need for application scanners to deliver a scalable solution that is capable of assessing today’s applications. At NT OBJECTives, most of the organizations we talk to and work with are some of the largest organizations in the world. They are dealing with tremendous challenges from numerous applications and limited resources to ever changing technology. Let’s examine the three key challenges many of our customers face.

1. Complex Applications, New Technologies

One of the primary challenges in application security testing today is the complexity of modern applications.

“The surface of attacks targeting applications and data has expanded from Web into mobile and cloud systems. Rapid adoption of detection and protection concepts and technologies is critical for all enterprises.”
Section from Gartner other report on market state
Hype Cycle for Application Security 2013, July 25, 2013

Today’s applications are written in different technologies and those technologies are constantly changing and evolving. In the early 2000’s, most applications were simple HTML applications. Now with Rich Internet Applications (RIA’s), mobile and cloud applications, we have a host of new technologies used in applications. These technologies include everything from AJAX and Google Web Toolkit to REST and JSON.

Most application scanners have fallen behind the innovation curve and can no longer automatically or accurately assess applications that include these technologies, leaving enterprises vulnerable.

The-Wideneing-Coverage-Gap

Scanners were historically based on their ability to crawl an application in order to understand it and they were able to crawl HTML, but this is no longer the case. A new architecture and approach is required for these newer technologies. From what I can tell, NTOSpider is the only that has been modernized to address today’s applications. Be sure to examine your application security scanner carefully to determine if it’s covering the newer technologies. To read more about dynamic application security tool coverage of new technologies, please check out our white paper, “Is Your Scanner Like the Emperors New Clothes?”.

2. Enterprise Scalability & Automation

Compounding this issue of the complexity of applications is the sheer volume of them. Today’s enterprise security teams are faced with the enormous challenge of securing hundreds or thousands of applications, built in a variety of technologies with small security teams.

In order to effectively secure that many applications, security teams require a high-level of sophisticated automation. We often refer to the breadth of scanner coverage – is it covering this AJAX corner of the application, or that complex business workflow.

Considering Application Security Scanner Coverage

Application scanner coverage is the percentage of an application that a scanner can automatically understand and test. As an application scanner’s coverage of applications increases, costs for scanning all of the organizations application’s decreases. In order to achieve maximum scalability, organizations should use maximum automation. Maximum automation is derived from maximum application coverage by a scanner. There aren’t any application scanners that can scan 100% of a complex application because they will always require some testing by hand for certain business and application logic functions. However, scanners should be able to achieve maximum coverage of a complex application. Roughly 80% of a security test, even on a complex application, is capable of being automated.

For this discussion, I’m using a sample organization that has 80 standard applications and 20 complex applications.  The potential cost savings of using an application scanner with maximum coverage available (80%) would be about $228,000 or 1520 man hours per scan cycle. Many organizations do quarterly cycles, so this can result in a savings of approximately $1m per year. The following tables and graphs demonstrate the business case for maximum automation.

Cost Savings Driven by a Highly Automated Scanner for 20 Complex Applications

The table below details the time and cost savings realized with improved automation (scanner coverage) for one cycle of testing for the 20 complex applications. Using this rough estimation technique, you can see that an organization can save $80,000 in one testing cycle where 20 complex applications are tested one time.

For the purposes of this example, I am estimating the cost per pen test hour at $150 and estimating the man hours required to complete a scan based on the coverage the application scanner can provide and the complexity of the application. The estimated total man hours required for testing the applications is multiplied by the $150 to get the cost for the apps for each row.

The following table demonstrates how total security testing costs decrease for 20 complex applications as the application security scanner’s % coverage of the application increases.

1.0 Time & Cost Savings for Complex Applications

Note: The column called, “Man hours required to complete a scan” refers to the total number of human hours required to assess an application including: configuration time, pen testing time, vulnerability review and validation time, etc.

So, if we look at the same cost savings for 20 complex applications in a graph, we can see that as scanner automation improves, costs decrease. 

1.1 1.1 Cost Savings with Improved Automation (20 Complex Apps)

Cost Savings Driven by a Highly Automated Scanner for 80 Standard Applications

So, does the same logic hold true for more standard applications that are less complex? This table details the time and cost savings realized with improved automation for 80 standard applications over one test cycle. Again, using this rough estimation technique an organization can save $72,000 in one testing cycle where 80 standard applications are tested one time.

1.2 1.2 Time & Cost Savings for Standard Applications

Again, looking at it in a graph format, you can see that as scanner automation improves, costs for testing 80 standard applications decreases. With 50% coverage, the applications will cost around $120,000 to test, but with 90% coverage, the costs decrease to less than $20,000.

1.3 1.3 Cost Savings with Improved Automation (80 Standard Apps)

Cost Savings Driven by a Highly Automated Scanner for 100 Mixed Complexity Applications

So, when you look at all 100 applications of mixed complexity, again we see that as scanner coverage increases, man hours and therefore overall costs, also decrease.

1.4 Time and Cost Savings (100 apps, mixed complexity)

And the graph demonstrates that  an organization can save almost $200,000 by testing all 100 of their applications one time with maximum automation as opposed to 50%.

1.7 Automation Reduces Man Hours

3. Scalability with Cost Control

A third major issue is that most of these organizations are building world class application security programs to address thousands of web and mobile applications with limited financial and human resources in a race against ever increasing threats. This challenge requires them to find highly automated and distributed application scanning solutions while effectively using resources to control costs.

But controlling costs is difficult. The smartest solution is one that combines the most accurate and automated web application vulnerability scanning with the benefits of elastic computing in the cloud to provide a sophisticated and scalable solution that effectively controls costs while conducting automatic vulnerability detection for even the most complex applications. Our scalable, elastic solution leverages NTOEnterprise and enables the largest global enterprises to provide their own application security assessment shared services to their customers or different divisions around the world.

A highly sophisticated and automated solution combined with elastic computing enables global organizations to easily expand and contract resources based on their scanning demand.

At NT OBJECTives, we have always strived to maximize automation. We find that many of the largest organizations in the world choose us because the complexity of their application security program necessitates sophisticated automation, maximum application coverage and scalability. For more information about how we solve these problems, please visit us at www.ntobjectives.com or request that we contact you by filling out this short form.

iphone image

Mobile Application Security 101

Mobile Applications – Still Insecure

Businesses are racing to meet the demands for mobile applications, yet mobile application security is an afterthought, just as web application security was when web applications started to proliferate.

As an industry, we know so much about securing web applications that applies to mobile, but most organizations are still repeating past mistakes and making new mobile specific mistakes that expose businesses to security incidents.

According to a recent Gartner report, “Most enterprises are inexperienced in mobile application security.  Security testing, if conducted at all, is often done casually — not rigorously — by developers who are mostly concerned with the functionality of applications, not their security.[1]” In this same report, the firm indicates that “through 2015, more than 75% of mobile applications will fail basic security tests.[2]

Friends-using-Foursquare-006

Don’t Forget Mobile Web Services

There has been so much talk about mobile device and mobile client security, but the key thing to keep in mind when approaching mobile application security is that it’s critical to test both the client as well as the communication to the web service that powers it. For example, if you’re using your Twitter app, the primary logic that resides on the mobile client is display and user authentication. The app must then communicate to a web service in order to get and send Tweets. This web service is the real power of Twitter and where the real security risk lies. Why attack one user, when you can attack that web service that is used by millions?

Even though mobile applications leverage a client-server model, they are built with entirely new technologies that necessitate new processes, technologies and skills.  While mobile application security does drive these new requirements, the overall problem is one that the security industry is already well acquainted with because the vulnerabilities showing up in mobile applications aren’t new at all. We often say that we are “Hacking like it’s 1999” because, the reality is that mobile vulnerabilities are are just the same old vulnerabilities that we have been hunting for over 13 years now: SQL injection, overflow, and client attacks.

These new requirements for mobile testing are driven by the new programming languages used for building mobile clients (Objective-C and Android’s Java variant), the new formats used by back-end web services (JSON and REST) and the new authentication and session management options (OAuth, HMAC, etc). And while those familiar SQL Injection attacks look almost exactly like they did 10 ago, you just can’t find them without understanding how to deliver these attacks within the new structures.

iphone image

SQL Injection Alive and Well

We call the mobile vulns the Where’s Waldo of application security. They’re your old familiar friend, SQL Injection, who looks almost exactly like he did 10 years before – maybe with a few gray hairs – but you just can’t find him as easily because he’s in an all new environment. We simply need to adjust to this new landscape and start looking for our old friend again.

Another important thing to keep in mind about mobile application security testing is that there ARE tools that automate the process. There just aren’t that many of them that automate the entire process or do it very well.

We see several categories of security vulnerabilities in mobile applications:

More on Mobile Application Security

 

[1] [2]Gartner Research Document

Gartner, Technology Overview: Mobile Application Security Testing for BYOD Strategies, By Joseph Feiman and Dionisio Zumerle, August 30, 2013.

NT OBJECTives Positioned in the “Visionaries” Quadrant of the Magic Quadrant for Dynamic Application Security Testing (DAST)

Recent Gartner research positioned NT OBJECTives in the Visionaries quadrant for Dynamic Application Security Testing(DAST).(i) Gartner’s report was published in December and is now available to all Gartner subscribers.

Analysts Neil MacDonald and Joseph Feiman state in the report that “Dynamic Application Security Testing (DAST) solutions should be considered mandatory to test all Web-enabled enterprise applications, as well as packaged and cloud-based application providers.” They go on to note that “the market is maturing, with a large number of established providers of products and services.”(ii)

We consider our positioning in the “Visionaries” quadrant by Gartner confirmation of our mission and ability to deliver technologies and services that solve today’s toughest application security software challenges. Web application security represents one of the greatest security challenges facing the information technology industry today. We will continue to innovate and deliver the products today’s security teams need. In the months ahead, we are excited to launch a number of products that will further enhance our market position and help our customers.

In the report, MacDonald and Feiman also note that “as organizations have improved the security of their network, desktop and server infrastructures, there has been a shift to application-level attacks as a way to gain access to the sensitive and valuable information they handle, or to use a breach of an application to gain access to the system underneath. In addition, there has been a shift in attacker focus from mass “noisy” attacks to financially motivated, targeted attacks. As a result of these trends, application security has become a top investment area for information security organizations, whether improving the security of applications developed in-house, procured from third parties or consumed as a service from cloud providers.”(iii)
Gartner clients may view a copy of the Magic Quadrant for Dynamic Application Security Testing (DAST) report via Neil MacDonald’s blog, “The Market for Dynamic Application Security Testing is Anything but Static”.

Disclaimer:
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About NT Objectives
NT OBJECTives, Inc brings together an innovative collection of experts in information security to provide a comprehensive suite of technologies and services to solve today’s toughest application security challenges. NT OBJECTives solutions are well known as the most comprehensive and accurate Web Application security solutions available. NT OBJECTives is privately held with headquarters in Irvine, CA.

(i) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011
(ii) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011
(iii) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011