Can Application Security Testing Be Fixed?
In August 2021, Brook S. E. Shoenfield -- Author, Passionate Security Architect, and Curious Questioner of Assumptions -- challenged whether application security can be fixed at FuzzCon 2021. Shoenfield observed and boldly called out that breaches not only continue to roll in, but the cadence continues to increase. It’s no surprise. “We keep applying the same, tired, and often simplistic solutions to this thorny, complex, multi-dimensional problem that we call application security,” he said. Shoenfield goes on to question the market’s assumptions and the industry’s folklore. Listed below are the top 3 takeaways from Shoenfield’s keynote presentation:
Myth: SAST Is The Answer To Application Security
Shoenfield calls on a 2011 study that showed 85% of static analysis findings were false positives. While static analyzers may be “good” at finding “stuff”, that quantity does not necessarily equate to value.
At the end of the day, developers merely want to know what the bug is and how to fix it. They want one bug for the problem, not forty. Shoenfield shares a team he worked with had 72,000 static analysis findings, of which zero were fixed because they were simply overwhelmed by the number. “Well, at least we ran static analysis,” the team meekly rebutted back to Brook.
It’s not just the quality of the results. Price is also a problem. A particular static analyzer in today’s market costs roughly $50,000 dollars for the server alone. This pricing does not include the per user charge that’s added on top. This is the cost to simply stand at the SAST starting line.
Myth: The Goals Of Application Security Is to Eradicate All Bugs
There will always be bugs in code. Shoenfield dispels the myth that the purpose of application security testing is to squash all bugs.
There will always be vulnerabilities in code, and the goal is not to get rid of them all. It’s about efficiently getting the most amount of code and testing coverage. While some may look to penetration testing to solve exactly this problem, Shoenfield asserts that pen testing is akin to a scalpel. It’s great for specific issues or going deep, but it is not comprehensive enough to address the larger issue of code coverage through efficient testing.
Fuzz Testing Is A Natural Fit For Today’s Application Security Needs
Fuzz testing is able to bring machine speed, scale, and automation to application security, addressing the need for code and testing coverage efficiency.
It doesn’t end there. Fuzz testing allows users to test multiple inputs, find interesting security issues such as zero-day vulnerabilities, find quality issues that lead to application misbehavior, and conduct regression testing, verifying that fixes were properly made.
Oh, did he also mention that your attackers are fuzzing your code? At that point, you really ought to do it, Shoenfield advises.
When looking for the ideal fuzz testing tool, Shoenfield shares his opinion on what’s needed: straightforward, integrates naturally in the SDLC/IDE, automates processes, delivers understandable and reliable results, indicates faulty code, and is affordable.
The keynote presentation is concluded with a Q&A session where he shares his tips and tricks for getting developers excited about security as well as justifying the need for a fuzz testing program.
To see the full session, you can watch the recording here.