How to Find Additional Hidden Vulnerabilities During DAST Testing
The amount of vulnerabilities found in production code continues to increase at an unprecedented rate. In 2019, 17,306 vulnerabilities were recorded in the US-Cert Vulnerability database. It was a record high for three consecutive years and we are on track in 2020 to beat last year’s number with 10,861 new vulnerabilities already recorded in the first half already (The image below shows the number of vulnerabilities recorded by year up until July of 2020). The increasing numbers of discovered vulnerabilities in production code means that as a whole, organizations are doing a terrible job at finding vulnerabilities during application development.
DAST Testing Tools Miss Vulnerabilities
The typical organization usesa number of testing tools to help discover vulnerabilities in code before the code releases to production. DAST (Dynamic Application Security Testing) is one of those tools, in which a black box, essentially acts like an attacker and launches attacks against the application under test to try and discover any vulnerabilities in the application code. Even with expensive DAST testing tools, plenty of code is still making it to production with significant vulnerabilities.
Typically the way DAST tools are deployed, they execute and run from a server that is separate from the server that the application resides on, so that attacks are coming across the network, similar to the way they would in an actual attack in production. While this is great for simulating an actual attack, it has the downside that successful attack detection only occurs if there is a response back to the testing server that the testing server can interpret as a successful attack. The testing tool detects vulnerabilities based solely on the responses it is receiving back from the application server from launched attack scenarios. If there is no response back, or only a partial response, it is possible the testing tool may not detect all the vulnerabilities that exist on the tested application. And based on the increasing number of detected vulnerabilities found in production code, it is obvious testing is not finding all the vulnerabilities in the application during the testing cycles.
Finding Additional Hidden Vulnerabilities
The question then arises, how can you improve your vulnerability detection and find these “hidden” vulnerabilities during your testing of your applications before you go to production?
Based on the increasing numbers of vulnerabilities reported in released code, we need to find ways to find “hidden” vulnerabilities easier and to get more informative details on the vulnerabilities. K2 Cyber Security can help address the issues around missed vulnerabilities and the lack of remediation details surroundingvulnerabilities that are found. K2 Cyber Security Platform is a great addition to DAST testing, enabling organizations the ability to find additional vulnerabilities not found by DAST testing tools; confirm vulnerabilities that are discovered by the DAST testing; provide remediation details for discovered vulnerabilities; and help identify false positives coming from the DAST testing.
K2 deploys an agent directly on the application server (think RASP and IAST). When a DAST or penetration testing attack is performed, by running on the application server, K2 has visibility into the application, giving K2 the ability to validate the execution of the application and “see” when an attack from the DAST tools are successful. This gives K2 the ability to detect and report on additional vulnerabilities the DAST and penetration testing tools miss by not having visibility into the application. In testing with some of the leading DAST and penetration testing tools, K2 detected significant additional vulnerabilities in common applications that the testing tools missed.
Getting Detailed Remediation Information on Found Vulnerabilities
K2 also has a secondary benefit during DAST and penetration testing. K2 can pinpoint the exact location of discovered vulnerabilities in the application code. When a vulnerability is discovered (for example, SQL Injection, Cross Site Scripting or Remote Code Injection), K2 can disclose the exact file name along with the line of code that contains the vulnerability, along with the details to reproduce the exploit on the vulnerability, a level of detail that testing tools typically are unable to provide, enabling developers to start the remediation process quickly.
Runtime Application Self Protection
Once applications, clear testing and make it to production, K2 Cyber Security Platform also offers a runtime use case. In this second deployment scenario, K2 offers an ideal runtime protection security solution that detects true zero-day attacks, while at the same time generates the least false positives and alerts. Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or artificial intelligence, K2 uses a deterministic approach to detect true zero-day attacks, and is not limited to detecting attacks using only prior attack knowledge. Instead, deterministic security validates the execution of the application, and verifies the API calls are functioning the way the code intended. There is no use of any prior knowledge about an attack or any need to know about the underlying vulnerability, which gives our approach the ability to detect truly new zero-day attacks. K2’s technology has 8 patents granted/pending, and has virtually no false alerts.
Get more out of your application security testing and change how you protect your applications. Check out K2’s web application and application workload security solution. Find out more about K2 today by requesting a demo, or get your free trial.