Discovering Code Vulnerabilities Prior Deployment: A Proactive/Prevalent Approach ( SAST & DAST )

Ahson Shaikh
5 min readJun 25, 2023

--

Security Operations comprises of a lot of tools, technology and concepts.

Today, we would be discussing about how your code can be scanned for security vulnerabilities and report these issues on time to adhere the best industry level practices.

Although, the entire project requires another article to be written with granular detailing and conceptualizing, while the incumbent article defines the tools and concepts and the project architecture that will be followed by this article.

https://geekflare.com/wp-content/uploads/2022/02/sastdastworking.png

DEFINITIONS:

SAST :- is used to scan the code you write for security vulnerabilities.

SCA :- is used to scan your dependencies for security vulnerabilities.

DAST :- works by simulating automated attacks on an application, mimicking a malicious attacker. The goal is to find outcomes or results that were not expected and could therefore be used by attackers to compromise an application.

Question: What security vulnerabilities does SAST look for?

There are 9 different ways SAST looks for the vulnerabilities:

  1. Injection Vulnerabilities: SAST analyzes code to identify vulnerabilities related to injection attacks, such as SQL injection, where an attacker can manipulate database queries, or command injection, where malicious commands can be executed by manipulating input.
  2. Cross-Site Scripting (XSS): SAST scans for potential XSS vulnerabilities, which occur when untrusted data is improperly handled and allows attackers to inject malicious scripts into web pages viewed by other users.
  3. Cross-Site Request Forgery (CSRF): SAST looks for code patterns that could lead to CSRF vulnerabilities, where attackers trick users into performing unwanted actions on a website by exploiting their authenticated session.
  4. Insecure Authentication and Session Management: SAST examines code for insecure authentication practices, weak password storage mechanisms, and vulnerabilities related to session management, such as session fixation or session hijacking.
  5. Insecure Direct Object References (IDOR): SAST helps identify instances where direct object references are exposed and can be manipulated to gain unauthorized access to resources.
  6. Insecure De-serialization: SAST scans for insecure deserialization vulnerabilities, which occur when untrusted data is deserialized in a way that can lead to remote code execution or other security risks.
  7. Insecure Cryptography: SAST checks for weak or improperly implemented cryptographic functions, such as using weak encryption algorithms or incorrect key management practices.
  8. Insecure Error Handling: SAST examines how errors and exceptions are handled in code, identifying potential information leakage or sensitive data exposure that could aid attackers.
  9. Code Quality and Best Practices: SAST assesses the overall code quality, looking for security-conscious programming practices, adherence to secure coding guidelines, and potential coding errors that could introduce vulnerabilities.

There are several tools available for SAST.

SAST Tools:

  • Fortify Static Code Analyzer
  • Checkmarx
  • Veracode Static Analysis
  • SonarQube (Recommended)
  • Coverity

QUESTION: What does SCA does and what it looks for?

SCA stands for Software Composition Analysis and it looks into multiple areas of your dependencies.

  1. Known vulnerabilities: SCA tools compare the versions of your dependencies against a database of known vulnerabilities. They check if any of the dependencies you are using have published security vulnerabilities and provide information about the severity and potential impact of those vulnerabilities.
  2. Outdated versions: SCA tools identify if you are using outdated versions of dependencies that have known security vulnerabilities. They help you determine if you need to update to a newer, more secure version.
  3. License compliance: SCA tools examine the licenses of your dependencies to ensure compliance with the licenses’ terms and conditions. They help you identify if you are using any dependencies with incompatible licenses or if you need to take specific actions to comply with certain licenses.
  4. Quality and maintenance: Some SCA tools assess the overall quality and maintenance status of your dependencies. They may consider factors such as the activity of the open-source project, the responsiveness of the maintainers, and the availability of security patches and updates.
  5. Code snippets and patterns: Advanced SCA tools can also analyze the actual code snippets within your dependencies, searching for specific patterns or known vulnerable code. They might use techniques like static analysis or code pattern matching to detect potential security flaws.

There are multiple tools for SCA as well:

  1. WhiteSource
  2. Black Duck (Synopsys)
  3. Nexus Lifecycle (Sonatype)
  4. OWASP Dependency-Check (Recommended)
  5. JFrog Xray
  6. Snyk (Recommended)
  7. Dependency-Track

QUESTION: What does DAST looks for in your code or outside of your code?

These are the aspects, that DAST tools look for:

  1. Input validation vulnerabilities: DAST tools check how your application handles user input and test for common security vulnerabilities such as SQL injection, cross-site scripting (XSS), and command injection. They send various types of input, including malicious payloads, to identify potential weaknesses in input validation and data sanitization.
  2. Authentication and session management issues: DAST tools analyze how your application handles user authentication and session management. They may attempt to bypass authentication mechanisms, test for weak or predictable session identifiers, and look for vulnerabilities related to password management, session expiration, and logout functionality.
  3. Security misconfiguration: DAST tools search for misconfigurations in your application’s server settings, databases, and other components. They examine settings related to security headers, SSL/TLS configurations, access control rules, and directory permissions to identify potential weaknesses or deviations from recommended security practices.
  4. Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF): DAST tools look for vulnerabilities that could lead to XSS or CSRF attacks. They check if your application is susceptible to injecting malicious scripts into web pages or if it allows unauthorized actions to be performed on behalf of a user.
  5. Vulnerable components and libraries: DAST tools may also identify vulnerabilities present in the third-party components, frameworks, or libraries used by your application. They compare the versions of these components against known vulnerability databases and provide information on any security issues that should be addressed.
  6. Business logic vulnerabilities: Some advanced DAST tools attempt to understand the business logic of your application and identify potential security flaws that may arise from the way the application handles specific processes or transactions. This could include checks for authorization bypass, privilege escalation, or logic flaws that could lead to unauthorized access or data manipulation.

Below are the tools mentioned for DAST:

  1. OWASP ZAP (Zed Attack Proxy) (Recommended)
  2. Burp Suite
  3. Acunetix
  4. Netsparker
  5. Qualys Web Application Scanning (WAS)
  6. AppScan
  7. WebInspect
  8. Nessus
  9. Nexpose
  10. HP Fortify

Thanks for reading ❤ Next we will be building up a DevSecOps Project, let me tell you guys the workflow of what we will be building. These mentioned below steps will be the one we will be following:

Step 1: Developer pushes code to GitHub
Step 2: Workflow gets triggered due to push action on Jenkins
Step 3: SAST is performed with SonarCloud or SonarQube
Step 4: SCA is done with Snyk
Step 5: Docker image is built and pushed to DockerHub
Step 6: Application is deployed to Kubernetes Cluster
Step 7: DAST scan is performed on the application URL with OSWAP ZAP
Step 8: You can find the reports of SCA scan in Code Scanning tab, and an artifact is created after a ZAP scan

--

--

Ahson Shaikh

DevOps Engineer with 4 years of experience in cloud and on-premises environments, specializing in Python automation with Selenium, currently working at Arpatech