The State of Software Security Testing Tools in 2022

Supply chain attacks, injection attacks, server-side request forgery attacks – all of these threats, and many more, exploit software vulnerabilities. Vulnerabilities can range from misconfigurations to design and software integrity issues. Overall, the apps are the most common attack vectorwith 35% of attacks exploiting some type of software vulnerability, according to Forrester Research.

The emphasis on software security, as well as the proliferation of software security testing tools, has grown over the past few years, in part thanks to supply chain attacks like those on Stuxnet and SolarWinds. And as organizations expand their web presence, the risks are greater than ever. Finally, the move towards DevSecOps has encouraged more organizations to include security testing in the software development phase.

Keeping software attacks at bay requires increased efforts around testing, not just at the end of development. For those who develop software in-house, software should be tested early and often. This can reduce delays and additional expense that arise when software needs to be rewritten near the end of a production run.

In the case of software developed externally, the wisest approach is to test via several methods before putting it into full-scale production.

“It’s always easier to prevent problems than to catch them in production, so integrating security testing early on makes perfect sense,” said Janet Worthington, senior analyst for security and risk at Forrester. .

Mountains of software security testing tools

One of the most important testing tools to prevent threat escalation is static analysis testing.

Also called static application security testing (SAST), this type of testing analyzes either software code or its application binaries to model applications for code security weaknesses. It is particularly effective in eliminating injection attacks. SQL Injection Attacks are a common attack vector that inserts an SQL query into the input data from the client to the application. It is often used to access or delete sensitive information.

SAST tools can also help identify server-side request forgery (SSRF) vulnerabilities, where attackers can force servers to send forged HTTP requests to a third-party system or device. SAST tools can help detect these vulnerabilities before they reach production.

Another critical testing tool is software composition analysis. These tools help completely prevent malicious components from entering the pipeline. They scan for known vulnerabilities in all components, including those in open source and third-party libraries. Vulnerabilities like Log4J contributed to the popularity of this type of testing tool. According to Forrester, 46% of developers now use software composition analysis tools for testing.

Other important types of software security testing tools include:

  • Vulnerability analysis: Although these tools focus on research application security vulnerabilities at all levels, there are also specialized versions to find weaknesses in web applications. They are particularly useful for finding threats such as SQL injections, path traversal, insecure server configuration, command injection, and cross-site scripting.
  • Dynamic Application Security Testing (DAST): This type of test takes a “black box” approach by simulating attacks on the runtime version of an application. DAST is typically run during integration or end-to-end automation testing. Forrester found that 44% of development teams plan to use DAST before software releases.
  • API testing: APIs are everywhere today. Although APIs are not always a major concern, they are not immune to security threats. Yet Gartner finds that unmanaged and insecure APIs create many vulnerabilities, only managed by API Security API access testing and control.
  • Interactive Application Security Testing (IAST): This method tests software for vulnerabilities during runtime, using detection modules to monitor software behavior during the testing phase. If IAST detects a problem such as SQL injection or cross-site scripting injection, it sends an alert. As a newer type of testing, IAST is often performed by teams that already perform static and dynamic testing. It tends to have lower false positive rates than other types of tests.
  • Penetration tests. Also known as ethical hacking, pen test involves testing applications for vulnerabilities and threat susceptibility, usually by an external party. Penetration testing can reveal many things, from software bugs and misconfigurations to supply chain attacks.

Depending on the type of threat, platform, and other factors, organizations may choose to use different types of testing tools. Some applications may also require test tools not listed above. For example, an application that includes a cryptographic signature will likely require a cryptanalytic tool. This is why today, more than ever, it is important to use more than one type of software testing tool.

“If you want to get as in-depth as possible, you’ll want to do SAST testing for full coverage, DAST testing for open source components, and other types of testing for mobile apps. [and] web applications, depending on what you’re working on,” said Ray Kelly, a member of Synopsys, which provides software security and testing tools. “It’s really about finding the right tools for your specific situation.”

How to Choose Software Security Testing Tools

There’s no shortage of tools, and sifting through the options can be confusing. Overall, there are open source tools, best vendor tools, and proprietary software testing platforms.

Open source tools tend to be very tactical in nature, focused on one thing. Examples include OWASP ZAP, a free web application security scanner; Snyk’s free code quality and vulnerability checker; SQLmap or Metasploit for penetration testing; SonarQube for code security; and FOSSA for open source dependency testing.

There are, of course, many advanced tools available for a fee from various vendors.

And then there are proprietary software testing platforms, like HCL AppScan and HP Fortify, and vendor platforms like Veracode, Checkmarx, Synopsys, Palo Alto Networks, and Aqua Security.

In most cases, organizations are better off combining different types of tools from different sources, said Aaron Turner, vice president of Vectra AI, a threat detection and response provider. “If you combine a software testing platform with a selection of state-of-the-art testing tools, whether open source or proprietary, you can be sure to achieve all of your goals, because there is no one platform that can do it all.”

If budget is an issue, Worthington recommends starting with the free version of a testing tool, which many vendors now offer. For example, Snyk, which is known for its software composition analysis tool, has a free open source version. Once the tool has proven useful, the organization can decide to pay for the full version.

Expert advice

Know your team and their capabilities before diving into software security testing, Kelly advised.

“In many cases, software development [or evaluation] teams are overwhelmed with features, product requests, and agile deployment methodologies,” Kelly explained. “Often they ship a new product every week or even every day, and sometimes security takes a back seat. It’s worth taking the time to really analyze what applications are actually running in your environment today, what are their risks and what is the threat landscape Take the time to do this inventory and get a baseline.

And before committing to any testing tool or methodology, make sure you consider the relative importance of the software in your environment. “If you are a gas pipeline operator and you rely on specific software to keep the pipeline running, you’ll likely spend a lot more time and effort testing that industrial control software than you would testing WordPress, which runs your site web,” says Turner.

Finally, it is important to follow the evolution of software security. This means not only subscribing to relevant blogs and podcasts, but also staying up to date with government advisories (e.g. through the Cybersecurity and Infrastructure Security Agency) and NIST National Vulnerability Database.

About the Author

Karen D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a wide range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek, and Government Executive.

Comments are closed.