Beyond DAST – A DAST First Tool with IAST Depth

Jonathan Davis

Sales Engineer at Netsparker

Learning Objectives

Netsparker has, and always will be a DAST-first solution. We strongly believe that the versatility of modern dynamic tools bring advantages that extend far beyond the typical vulnerability scanning functionality. The inclusion of DAST induced IAST functionality in Netsparker provides the best of both worlds by maintaining the advantages of a DAST solution while gaining the ability to go deeper than ever before to identify and verify more vulnerabilities with access to the application code.In this presentation, you will learn how Netsparker helps your organization automate and scale web application security with the added benefit of IAST scanning capabilities in order for your team to reach the depths of your application security.


Key Takeaways:



  • Benefits of starting any web application scanning solution with a DAST foundation

  • Benefits of DAST-induced IAST

  • Popular ways to Implement IAST


"Netsparker is the only truly scalable application security testing solution and the best choice for large organizations."

Jonathan Davis

Sales Engineer at Netsparker

Transcript

Welcome to a presentation by Netsparker: Beyond DAST – A DAST First Tool with IAST Depth. I would like to quickly introduce you to Netsparker, most scalable application security testing tool on the market. Originally a dynamic application security testing tool DAST, with now the added component of interactive application security testing IAST, which is what we’ll focus on in this presentation.


We will quickly recap what DAST benefits and limitations are before exploring IAST. We will then learn what IAST is, its types, and we will introduce you to the Netsparker IAST component called Netsparker Shark. Then, we will explain why our approach to DAST maximize by IAST is unique. We will show you how it works, discuss its role in the SDLC, and discuss the benefits of such a combined testing approach.


Netsparker is known as the only scalable application security testing tool on the market, which helps you automate web vulnerability scanning and remediation. It is a truly effective solution, thanks to its proprietary proof based scanning technology, which is the key to confidence in efficient workflow automation with the highest level of accuracy. The scanner automatically verifies vulnerabilities by providing solid proof that the issue is real and not a false positive. Such a high degree of automation scalability allows small security teams to ensure security across thousands of web assets. Trusted and recognized, the proof that Netsparker is the best choice when it comes to DAST is right here. Security teams who select Netsparker love to recommend our product, because it delivers exactly what it promises. Not only was Netsparker placed in the top right quadrant for Gartner, we were also voted the easiest to use, easiest to admin, and fastest implementation by the G2 crowd.


DAST is a blackbox testing tool. What that means is that DAST doesn’t know about our internal code structure before the scan begins. It’s going to start exploring that web application and searching for vulnerabilities just like an attacker would. When you’re using a DAST solution, we’re able to test how the web application is going to behave in runtime as opposed to focusing on static code analysis. A DAST solution is going to send a request to a server and then analyze those responses in order to understand whether or not that web application is vulnerable to specific types of attacks.


The benefits of using a DAST solution are varied. It is easy and fast to deploy. We’re checking the behavior at runtime, as opposed to guessing about how the web application will behave at runtime, as we would with a SAS tool. We’re using the same approach as an attacker, so this will allow us to uncover the same types of vulnerabilities that an attacker would be able to uncover. It has fewer false positives than a SAS tool, because we’re looking at the application in runtime and it is technology and language agnostic. Regardless of what programming language you’re using under the hood, or what libraries, as long as that web application is live and running, you’ll be able to test it for vulnerabilities.


Now, let’s talk about what IAST is. IAST stands for Interactive Application Security Testing. Let’s break that acronym down. Interactive, this means it interacts with the running application in other tools. Application, it’s designed for web applications and our web assets. Security Testing, it finds security vulnerabilities and pinpoints their location.


Now, why use IAST? It works on the basis of sensors, and it passively examines the running application from the inside. It’s a cost effective solution when compared to source code testing models. Now, broadly speaking, there are three different types of IAST tools. You have Passive IAST. Passive IAST tools provide only the sensor that attaches to the running application. If this sensor notices something suspicious as the application is running, it reports it to the IAST dashboard. The downside is that they need comprehensive test suites to work, and typical software test cases don’t contain payloads that simulate attacker behavior.


The second type is Active IAST, also known as DAST-induced IAST. Active IAST tools are delivered by manufacturers of simple desk scanners. They do not communicate with DAST scanners. Just like in the case of simple IAST tools, the DAST is used to activate the sensor, but does not communicate with the sensor at all. These two tools were completely separate. One is just being used to trigger the other.


The third type of IAST tool is a True IAST Solution. When IAST works together with an advanced DAST tool, it can be categorized as a True IAST Solution. With a True IAST tool like Netsparker Shark, there’s no need to manually try to pull together results. All the information is available using a single tool, this makes true interactive application security testing—the only approach to IAST that will be scalable in an enterprise environment.


Now, let’s talk about how IAST enhances the type of information we can get. IAST extends the benefits of DAST because it adds depth of information to broad testing coverage. With a true IAST approach, developers get a detailed report with all the information needed to fix the issue showing how the vulnerability was safely exploited by the scanner, what impact it could have, how it can be fixed, and how to avoid it in the future. Information from IAST sensors is added to the same report, including the source of the vulnerability, additional information that further proves the vulnerability, including the specific line of code where the developer made an error.


Now, let’s talk about how Netsparker Shark works specifically. Netsparker Shark is available not only for your Java and dotnet applications, but also for your PHP applications. With Netsparker Shark, IAST implementation is easier than ever. All you need to do is install the sensors and connect to them from your Netsparker enterprise dashboard. Since Netsparker Shark is a sensor that is deployed on a particular server, you can have servers with Netsparker Shark and at the same time service without it depending on your specific needs.


Now, let’s talk about where you would use Netsparker Shark. DAST tools aren’t fit for the earliest stages of the SDLC, but excel in all other stages up to an including production. IAST can be used from the first time an application is compiled and run all the way up to the staging environment. There are two basic requirements for an IAST tool to be used in the SDLC. The first is that the application must be mature enough to be compiled and executed. The second is that the environment in which the application is executed must allow for the addition of an IAST sensor.


Now, let’s talk about what makes Netsparker unique. Netsparker uses proof-based scanning technology. Proof-based scanning technology is unique to our organization. This is a proprietary vulnerability scanning technology, and it safely exploits web application vulnerabilities, and it will then extract sensitive data as proof that the vulnerability is real. This enables confident automation and brings a host of other benefits. Netsparker also provides a scalable DAST first approach to IAST. With Netsparker Shark, the only True IAST Solution is integrated with Netsparker enterprise, and then it’s coupled with proof-based scanning. This provides even more scalability and reliability of results. We can also integrate this into our existing workflows because netsparker easily integrates with issue trackers, CIC platforms, and other tools. This allows us to scan for vulnerabilities from the early stages of development, and then automatically assign those vulnerabilities to specific developers, and automatically validated they’ve been fixed, saving us hours of time. Also, we’re able to transform DevOps into DevSecOps by seamlessly integrating security into our SDLC. We can also allow our developers to focus on fixing the critical issues first.


Why should you use Netsparker? The first reason is it gives you an improved security posture. Netsparker gives you a better understanding of your entire existing attack surface. With Netsparker, you can be confident that you always have an accurate picture of your entire web environment. Netsparker also provides extra visibility and reporting. Netsparker presents us with clear actionable dashboards and trend charts, which show us both the current vulnerability status and the progress of security and development teams are making. Netsparker also helps us to improve our operational efficiencies. We can automatically confirm issues that come up by using proof-based scanning. We can automatically assign those confirmed issues to specific developers. Then, we can focus on develop on vulnerabilities, which really needs human expertise to uncover. This allows us to achieve measurable security improvements in reduced cost with short time [unintelligible].


Netsparker is the only truly scalable application security testing solution and the best choice for large organizations. With effective automation, depth of vulnerability information, and workflow integration, Netsparker allows small security teams to take control of their web security across thousands of web applications, and helps bridge the gap between security and development teams. With the newly implemented True IAST Feature Netsparker Shark, security professionals and developers can save even more time when fixing vulnerabilities, which will result in measurable security improvements. Thank you very much for your time and attention during this presentation.


Get full Q/N Access

Sign up to Q/N with a few details to watch this presentation.

  • Hidden
  • Hidden