Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- static application security testing (SAST)
- -fits in Development stage
- -secure code review
- -detailed inspection on source code
- -done when is code is stable and nearly complete
- objectives
- -root cause analysis by inspecting DFD
- -enumerates all instances of certain vulnerability
- -enumerates weakness in the existing security controls again known threats
- -design flaws like mishandling of nonuser inputs can be identified
- why SAST?
- -many serious vulnerabilities can be identified
- -decrease the cost to solve later
- SAST deliverables
- -types of vulnerabilities
- -severity level/impact
- -location ,line of code
- -recommendations
- tools
- -checkmarx
- -visual code grepper
- -hpfortify
- -rational appscan source edition
- -selection is based on the choosen language
- -the tool's understanding on the libraries and framework
- -IDE integration should be checked
- -time and effort for setting up the tool
- -tool cost
- manual secure code review techniques for most common vulnerabilities
- -basically we sit and check for all common errors mentioned in the previous modules
- -use whitelisting instead of blacklisting
- -usage of nonparameterized statements
- -.....
- -time consuming but less false positives and false negatives
- -requires good understanding on code
- dynamic application security testing (DAST)
- -fits in Testing stage
- -simulate attacks
- -produces runtime errors
- -generally executed by penetration testers or security practioners
- -use automated web application scanners
- -generates workloads to detect security weaknesses
- DAST via automated application vulnerability scanning tools
- -webinspect
- -....
- DAST via proxy based security testing tools
- ....
Add Comment
Please, Sign In to add comment
