The State of Software Security Testing Tools in 2022 – ITPro Today

Supply chain attacks, injection attacks, server-side request forgery attacks all these threats, and more, prey on software vulnerabilities. Vulnerabilities can range from misconfigurations to faulty design and software integrity failures. Overall, applications are the most common attack vector, with 35% of attacks exploiting some type of software vulnerability, according to Forrester Research.

The focus on software security, along with the proliferation of software security testing tools, has grown over the past few years, thanks in part to supply chain attacks like those on Stuxnet and SolarWinds. And as organizations expand their web presence, there is more risk than ever. Finally, the move toward DevSecOps has encouraged more organizations to include security testing in the software development phase.

Related: App Development: Staying Secure Using Low-Code Platforms

Keeping software attacks at bay requires increasing efforts around testing -- and not only at the end of development. For those developing software in house, software should be tested early and often. Doing so canreducedelays and extra expenses that occur when software must be rewritten toward the end of a production cycle.

In the case of software developed externally, the wisest approach is to test via multiple methods before putting it into full-scale production.

Its always easier to prevent problems than it is to find issues during production, so baking in security testing from the beginning makes a lot of sense, said Janet Worthington, senior analyst for security and risk at Forrester.

One of the most important testing tools to prevent the escalation of threats is static analysis testing.

Also called static application security testing (SAST), this type of testing analyzes either the software code or its application binaries to model the applications for code security weaknesses. Its especially good at rooting out injection attacks. SQL injection attacks are a common attack vector that inserts a SQL query through the input data from the client to the application. It is often used to access or delete sensitive information.

SAST tools also can help identify server-side request forgery (SSRF) vulnerabilities, where attackers can force servers to send forged HTTP requests to a third-party system or device. SAST tools can help catch these vulnerabilities before they reach production.

Another critical testing tool is software composition analysis. These tools help block malicious components from entering the pipeline altogether. They look for known vulnerabilities in all components, including those in open-source and third-party libraries. Vulnerabilities like Log4J have contributed to the popularity of this type of testing tool. Forty-six percent of developers now use software composition analysis tools for testing, according to Forrester.

Other important types of software security testing tools include:

Depending on the type of threat, the platform, and other factors, organizations may choose to employ various types of testing tools. Some applications may also need testing tools that arent on the list above. For example, an application that includes cryptographic signing will probably require a cryptographic analysis tool. Thats why today, more than ever before, its important to use more than one type of software testing tool.

If you want to be as thorough as possible, youll want to do SAST testing to find vulnerabilities in source code, SCA for open-source components and DAST to test the running web application, said Ray Kelly, a fellow at Synopsys, which provides software security and testing tools. Its really about finding the right tools for your specific situation.

There is no shortage of tools, and it can be confusing to sift through the options. Overall, there are open-source tools, best-of-breed tools from vendors, and proprietary software testing platforms.

Open-source tools tend to be very tactical in nature, focused on one thing. Examples include OWASP ZAP, a free web application security scanner; Snyks free code quality and vulnerability checker; SQLmap or Metasploit for penetration testing; SonarQube for code security; and FOSSA for open-source dependency testing.

There are, of course, many best-of-breed tools available for a fee from various vendors.

And then there are proprietary software testing platforms, like HCL AppScan and HP Fortify, as well as platforms from vendors like Veracode, Checkmarx, Synopsys, Palo Alto Networks, and Aqua Security.

In most cases, organizations would do best to blend different types of tools from different sources, said Aaron Turner, a vice president at Vectra AI, a threat detection and response vendor. If you combine a software testing platform with select best-of-breed testing tools, whether open source or proprietary, you can be sure to hit all of your marks, because there is no one platform that can do everything.

If budget is an issue, Worthington recommended starting with the free version of a testing tool, which many vendors now offer. For example, Snyk, which is known for its software composition analysis tool, has a free open-source version. After the tool has proven valuable, the organization can decide whether to pay for thefull-featured version.

Advice From the Experts

Know your team and its capabilities before diving into software security testing, Kelly advised.

In many cases, software development [or evaluation] teams are overwhelmed by features, product requests, and agile deployment methodologies, Kelly explained. Often, they are shipping a new product every week, if not every day, and sometimes security takes a backseat. Its worth taking the time to really analyze what applications are actually running in your environment today, what their risks are, and what the threat landscape is. Take the time to take that inventory and get a baseline.

And before committing to any testing tool or methodology, make sure youre considering the relative importance of the software in your environment. If youre a natural gas pipeline operator and you rely on a specific piece of software to keep the pipeline running, youll probably spend a lot more time and effort testing that piece of industrial control software than you would testing WordPress, which runs your website, Turner said.

Finally, its important to keep up with developments in software security. That means not only subscribing to relevant blogs and podcasts, but staying on top of government advisories (e.g., via the Cybersecurity and Infrastructure Security Agency) and NISTs National Vulnerability Database.

About the author

Read more:

The State of Software Security Testing Tools in 2022 - ITPro Today