Supply chain attacks, injection attacks, server-side request forgery attacks all these threats, and more, prey on software vulnerabilities. Vulnerabilities can range from misconfigurations to faulty design and software integrity failures. Overall, applications are the most common attack vector, with 35% of attacks exploiting some type of software vulnerability, according to Forrester Research.
The focus on software security, along with the proliferation of software security testing tools, has grown over the past few years, thanks in part to supply chain attacks like those on Stuxnet and SolarWinds. And as organizations expand their web presence, there is more risk than ever. Finally, the move toward DevSecOps has encouraged more organizations to include security testing in the software development phase.
Related: App Development: Staying Secure Using Low-Code Platforms
Keeping software attacks at bay requires increasing efforts around testing -- and not only at the end of development. For those developing software in house, software should be tested early and often. Doing so canreducedelays and extra expenses that occur when software must be rewritten toward the end of a production cycle.
In the case of software developed externally, the wisest approach is to test via multiple methods before putting it into full-scale production.
Its always easier to prevent problems than it is to find issues during production, so baking in security testing from the beginning makes a lot of sense, said Janet Worthington, senior analyst for security and risk at Forrester.
One of the most important testing tools to prevent the escalation of threats is static analysis testing.
Also called static application security testing (SAST), this type of testing analyzes either the software code or its application binaries to model the applications for code security weaknesses. Its especially good at rooting out injection attacks. SQL injection attacks are a common attack vector that inserts a SQL query through the input data from the client to the application. It is often used to access or delete sensitive information.
SAST tools also can help identify server-side request forgery (SSRF) vulnerabilities, where attackers can force servers to send forged HTTP requests to a third-party system or device. SAST tools can help catch these vulnerabilities before they reach production.
Another critical testing tool is software composition analysis. These tools help block malicious components from entering the pipeline altogether. They look for known vulnerabilities in all components, including those in open-source and third-party libraries. Vulnerabilities like Log4J have contributed to the popularity of this type of testing tool. Forty-six percent of developers now use software composition analysis tools for testing, according to Forrester.
Other important types of software security testing tools include:
Depending on the type of threat, the platform, and other factors, organizations may choose to employ various types of testing tools. Some applications may also need testing tools that arent on the list above. For example, an application that includes cryptographic signing will probably require a cryptographic analysis tool. Thats why today, more than ever before, its important to use more than one type of software testing tool.
If you want to be as thorough as possible, youll want to do SAST testing to find vulnerabilities in source code, SCA for open-source components and DAST to test the running web application, said Ray Kelly, a fellow at Synopsys, which provides software security and testing tools. Its really about finding the right tools for your specific situation.
There is no shortage of tools, and it can be confusing to sift through the options. Overall, there are open-source tools, best-of-breed tools from vendors, and proprietary software testing platforms.
Open-source tools tend to be very tactical in nature, focused on one thing. Examples include OWASP ZAP, a free web application security scanner; Snyks free code quality and vulnerability checker; SQLmap or Metasploit for penetration testing; SonarQube for code security; and FOSSA for open-source dependency testing.
There are, of course, many best-of-breed tools available for a fee from various vendors.
And then there are proprietary software testing platforms, like HCL AppScan and HP Fortify, as well as platforms from vendors like Veracode, Checkmarx, Synopsys, Palo Alto Networks, and Aqua Security.
In most cases, organizations would do best to blend different types of tools from different sources, said Aaron Turner, a vice president at Vectra AI, a threat detection and response vendor. If you combine a software testing platform with select best-of-breed testing tools, whether open source or proprietary, you can be sure to hit all of your marks, because there is no one platform that can do everything.
If budget is an issue, Worthington recommended starting with the free version of a testing tool, which many vendors now offer. For example, Snyk, which is known for its software composition analysis tool, has a free open-source version. After the tool has proven valuable, the organization can decide whether to pay for thefull-featured version.
Advice From the Experts
Know your team and its capabilities before diving into software security testing, Kelly advised.
In many cases, software development [or evaluation] teams are overwhelmed by features, product requests, and agile deployment methodologies, Kelly explained. Often, they are shipping a new product every week, if not every day, and sometimes security takes a backseat. Its worth taking the time to really analyze what applications are actually running in your environment today, what their risks are, and what the threat landscape is. Take the time to take that inventory and get a baseline.
And before committing to any testing tool or methodology, make sure youre considering the relative importance of the software in your environment. If youre a natural gas pipeline operator and you rely on a specific piece of software to keep the pipeline running, youll probably spend a lot more time and effort testing that piece of industrial control software than you would testing WordPress, which runs your website, Turner said.
Finally, its important to keep up with developments in software security. That means not only subscribing to relevant blogs and podcasts, but staying on top of government advisories (e.g., via the Cybersecurity and Infrastructure Security Agency) and NISTs National Vulnerability Database.
About the author
Read more:
The State of Software Security Testing Tools in 2022 - ITPro Today
- Most open source projects fail to use memory-safe programming languages and CISA says that needs to change - ITPro - July 6th, 2024
- Removing the obstacles to coding - it's as simple as open source - MSN - July 6th, 2024
- Calls to Ban Open Source are Misguided and Dangerous - The New Stack - June 26th, 2024
- Delving the Risks and Rewards of the Open-Source Ecosystem - InformationWeek - June 26th, 2024
- Enhancing security through collaboration with the open-source community - Help Net Security - June 18th, 2024
- It's time to face the open source security problem - ITPro - June 18th, 2024
- Mistral AI just launched 'Codestral', its own competitor to Code Llama and GitHub Copilot and it's fluent in over 80 ... - ITPro - June 2nd, 2024
- Open-source cybersecurity could derail the internet as we know it - Quartz - May 15th, 2024
- Developer Experience Influenced by Open Source Culture - InfoQ.com - May 15th, 2024
- BLint: Open-source tool to check the security properties of your executables - Help Net Security - May 15th, 2024
- Modular Open-Sources Mojo: The Programming Language that Turns Python into a Beast - MarkTechPost - April 2nd, 2024
- Meet the 21-Year-Old Creator of Devika, the Indian Open Source Devin Alternative - Analytics India Magazine - April 2nd, 2024
- Is Open Source Under Threat or Primed to Go to the Next Level? - The New Stack - March 13th, 2024
- Where is Technology Headed in 2024? - Open Source For You - March 13th, 2024
- A Detailed Conversation on Open-Source AI Frameworks for MLOps Workflows and Projects - AiThority - March 5th, 2024
- Everything you need to know about GitHub's new push protection changes - ITPro - March 5th, 2024
- StarCoder 2 is a code-generating AI that runs on most GPUs - TechCrunch - March 5th, 2024
- Is the future of open source software at risk due to protestware? - Tech Xplore - February 25th, 2024
- Google unveils new family of open-source AI models called Gemma to take on Meta and othersdeciding open-source AI aint so bad after all - Fortune - February 25th, 2024
- Jim Zemlin and the Linux Foundation share not-so-secret open-source sauce - ZDNet - February 25th, 2024
- Open source vs closed source AI: What's the difference and why does it matter? - Euronews - February 25th, 2024
- Biden administration to debate whether all AI systems should be open-source or closed - Firstpost - February 25th, 2024
- Some Linkerd service mesh users will soon have to pay - TechTarget - February 25th, 2024
- A lone developer just open sourced a tool that could bring an end to Nvidia's AI hegemony AMD financed it for ... - TechRadar - February 25th, 2024
- Scoping Out the Software-Defined Vehicle: The Benefits of OTA Updates & Open Source - Embedded Computing Design - February 25th, 2024
- The importance and limitations of open source AI models - TechTarget - February 9th, 2024
- 15+ Popular Python IDEs in 2024: Choosing The Best One - Simplilearn - February 9th, 2024
- Balancing Innovation and Security: The Open-Source Conundrum - BNN Breaking - February 9th, 2024
- VCs and startups love open-source AI models but how will they make money? - Sifted - February 9th, 2024
- How better and cheaper software could save millions of dollars while improving Canada's health-care system - The Conversation Indonesia - February 9th, 2024
- Best of 2023: Are We Witnessing the End of Open Source? - DevOps.com - December 28th, 2023
- What comes after open source? Bruce Perens is working on it - The Register - December 28th, 2023
- 200 GB of GTA 5 source code is about to get leaked, making it an open source: Report - Sportskeeda - December 28th, 2023
- Never was so much owed by so many to so few - a look at the unheralded heroes of the open source world - TechRadar - December 28th, 2023
- Rockstar hit with another cyberattack, leaked GTA 5 source code reveal cancelled DLC plans - Times of India - December 28th, 2023
- What is open source software? - Android Police - December 20th, 2023
- Feds Warn Health Sector to Watch for Open-Source Threats - BankInfoSecurity.com - December 11th, 2023
- OpenTofu: Open-source alternative to Terraform - Help Net Security - December 11th, 2023
- AWS exec: 'Our understanding of open source has started to change' - The Register - December 11th, 2023
- Mark Jelic Rings in 40 Years Since the TEC-1 Launch with a New, Open Source, Upgraded TEC-1G SBC - Hackster.io - December 11th, 2023
- AI's future could be 'open-source' or closed. Tech giants are divided as they lobby regulators - Tech Xplore - December 11th, 2023
- Cyber Security Today, Nov. 24, 2023 A warning to tighten security on Kubernetes containers, and more - IT World Canada - November 25th, 2023
- This AI Paper Proposes ML-BENCH: A Novel Artificial Intelligence Approach Developed to Assess the Effectiveness of LLMs in Leveraging Existing... - November 25th, 2023
- Generative AI is a genuine breakthrough unlike most fads in tech: Zerodha CTO Kailash Nadh on the current waves in tech - The Hindu - October 27th, 2023
- Meet RedPajama: An AI Project to Create Fully Open-Source Large Language Models Beginning with the Release of a 1.2 Trillion Token Dataset -... - April 25th, 2023
- Hashtag Trending Apr.24th- Cybersecurity workers burnout; Code generated by ChatGPT and Googles Bard not very secure; Execs would want a robot to make... - April 25th, 2023
- This AI Project Brings Doodles to Life with Animation and Releases Annotated Dataset of Amateur Drawings - MarkTechPost - April 17th, 2023
- EU shares best practices with Ukrainian law enforcers on Open Source Intelligence and Criminal Analysis to - EIN News - April 8th, 2023
- 'I've never seen anything like this:' One of China's most popular apps has the ability to spy on its users, say experts - CNN - April 8th, 2023
- With Just ~20 Lines of Python Code, You can Do Retrieval Augmented GPT Based QA Using This Open Source Repository Called PrimeQA - MarkTechPost - March 5th, 2023
- Daily Crunch: Hundreds of Salesforce workers laid off in January just discovered they were out of work today - TechCrunch - February 7th, 2023
- Unlocking the power of Open AI: how to automate information extraction - The Hindu - February 7th, 2023
- Is composable business most essential technology trend to meet challenges of 2023 and beyond? - ComputerWeekly.com - January 30th, 2023
- Open Definition & Meaning | Dictionary.com - January 22nd, 2023
- 529 Synonyms & Antonyms of OPEN - Merriam-Webster - January 22nd, 2023
- Open Definition & Meaning - Merriam-Webster - January 22nd, 2023
- Can Wazuh Become The Worlds Largest Open Source Cybersecurity Platform And IPO Without VC Funding? - Forbes - January 6th, 2023
- 8 Free/Open Source Code Review Tools for 2022 - SoftwareSuggest - December 28th, 2022
- Finding the next Log4j OpenSSFs Brian Behlendorf on pivoting to a risk-centred view of open source development - The Daily Swig - December 28th, 2022
- Nithin Kamath says FOSS is the 'pillar' on which Zerodha has been built. What is it? - Business Today - December 28th, 2022
- How Dogeliens Will Take Over the Metaverse Like Bitcoin and Stellar Took Over the Crypto World. - newsbtc.com - December 28th, 2022
- Intrinsic Buys Open Robotics' Commercial Arm, But Leaves ROS and Gazebo with the Foundation - Hackster.io - December 20th, 2022
- Open-source code is everywhere; GitHub expands security tools to help ... - December 20th, 2022
- Security Of Enterprise Code: What Companies Using Open-Source Software Should Know About Binary Code Verification - Forbes - December 20th, 2022
- Open Source - Apple Developer - December 12th, 2022
- Your Code of Conduct | Open Source Guides - December 12th, 2022
- Code of Conduct | Meta Open Source - Facebook - December 12th, 2022
- From the creator of Homebrew, Tea raises $8.9M to build a protocol that helps open source developers get paid - TechCrunch - December 12th, 2022
- Consortium of Japan partners successfully promote domestic production and cost reduction for 5G core technology, the basis for next-generation... - November 25th, 2022
- GitHub Vulnerability Allows Hackers to Hijack Thousands of Popular Open-Source Packages - CPO Magazine - November 17th, 2022
- GitHubs Octoverse report finds 97% of apps use open source software - VentureBeat - November 17th, 2022
- Microsoft sued for open-source piracy through GitHub Copilot - BleepingComputer - November 7th, 2022
- The White House Memorandum on Securing the Software Supply Chain: What It Means for Your Organization - Security Boulevard - November 7th, 2022
- First Timers Only - Get involved in Open Source and commit code to your ... - October 23rd, 2022
- List of free and open-source software packages - Wikipedia - October 23rd, 2022
- What is open source? - Red Hat - October 23rd, 2022
- Introducing Triton: Open-Source GPU Programming for Neural Networks - October 23rd, 2022
- Comparison of open-source and closed-source software - October 23rd, 2022
- Java 19 Brings New Patterns to Open Source Programming Language - October 23rd, 2022
- API series - OctoML: ML APIs need to take a lesson from their ancestors - ComputerWeekly.com - October 23rd, 2022