At Prolifics Testing, we pride ourselves on our Application Testing expertise. Source code analysis using market leading tools can help eliminate security flaws at the development phase, with scans possible on demand, on build, or automatically to a defined schedule.
Once applications are completed, our team can carry out application level penetration tests, using a combination of manual and tool assisted techniques to identify vulnerabilities, some of which may not have been picked up by code level testing.
SAST and DAST Services
SAST (Static Application Security Testing) is testing without executing any code and is carried out during development. SAST allows developers to detect security flaws in the application source code early in the development lifecycle. SAST also ensures that coding guidelines and standards are met, as code is checked in and regular scans are run.
DAST (Dynamic Application Security Testing) differs from SAST in its ability to locate security weaknesses in a running application. DAST can locate issues with authentication and server configuration, as well as those issues that are detectable only once a user logs in.
SAST and DAST both have their own unique strengths, and rather than choose between the two, our consultants are experts at practising both in combination.
One of the core tools we use for our SAST / DAST approach is Micro Focus Fortify.
Fortify Source Code Analyzer (SCA) enables code scanning of a large and ever increasing number of languages, integrating directly with IDE's to allow developers to run scans and be guided by a detailed explanation of problems found, with clear data flows and an identification of the types of vulnerabilities that result from insecure code.
Fortify seamlessly integrates into CI/CD pipelines, and is highly scalable throughout organisations, including centralised scanning and results, Audit Workbench for security auditors to review vulnerabilities and extensive, configurable reporting, with options at all levels.
SCA, like all constituents of the Fortify suite, is continuously updated with the latest security advisories from the Micro Focus Security Operations Centre (SOC). In addition, Fortify employs machine learning techniques to learn how best to support the environment where it is used and reduce the number of false positives. There is an option to participate in the anonymous sharing of vulnerabilities found and their audit results from other Fortify users around the World, which further increases the accuracy of detection.
Prolifics Testing is a Gold Micro Focus partner for security and have good expertise in the Fortify toolset, especially SCA. Scanning an application with SCA could not be easier - on premise or Cloud (SAAS) based options are available, via Fortify on Demand.
Fortify WebInspect allows the dynamic testing of applications, usually at the point in the lifecycle where the test team get involved. WebInspect can launch a wide range of attacks against a web application, using a highly configurable set of criteria, as well as a wizard based configuration. This is an extremely effective way of launching a series of automated attacks on web apps, that can quickly identify vulnerabilities that would be more difficult using a static testing approach.
IAST and RASP Services
With the increase in popularity of containerization within DevOps environments – namely, because of the scalability, portability, and CI/CD utility of containers – has unfortunately come increased levels of application risk.
IAST and RASP are innovative testing approaches that allow for continuous testing, something of the utmost importance both for guaranteeing security at all stages of development and for preventing disruption to existing pipelines.
The importance of IAST
IAST (Interactive Application Security Testing) checks code for security vulnerabilities during automated testing of an application. Because IAST reports threats in real-time, your CI/CD pipeline is not slowed down.
IAST is designed to go beyond SAST and DAST by bringing both practices together. Simply put, IAST places an agent within an application to carry out analysis in real-time throughout the development life cycle, while functional testing is taking place.
The value of RASP
Organisations that have not prioritised application security early on face significant risk from cyber attacks, and potential legal ramifications from the resultant leaking of customer information. In this situation, one solution is to make use of RASP.
RASP (Runtime Application Security Protection) is directly plugged into an application / its runtime environment, and from there can control application execution. RASP allows apps to run continuous security checks on themselves and fight back against live attacks by ending an attacker’s session and alerting cyber security defenders to the attack.