If your current software security testing does vulnerability scanning, congratulations. You are addressing the known vulnerabilities, some of which may be exploited against your software in a future attack.
Unfortunately, you are only addressing the known vulnerabilities and missing the bigger picture, which are the unknown vulnerabilities. That’s where the zero days live. And that’s why you need to do defect testing too.
Perhaps it’s best to start by defining some terms.
Defects are common. Application Security Software will parse through the source code or monitor the runtime operation of your application. In general, both methods will identify defects in the application. A lot of these defects are trivial and easily resolvable. A few, however, are vulnerabilities. And a few of these vulnerabilities are exploitable today.
Vulnerabilities are defects that can cause damage. A few caveats: just because a defect isn’t a vulnerability today doesn’t mean it won’t become one later. Vulnerabilities need to be identified and corrected. So how do we identify these vulnerabilities?
Vulnerability scanning is just that: it takes a list of known weaknesses or known vulnerabilities and it compares that list to your software. Defect testing, then, is dynamic in that it vigorously exercises the defects to prove that they are important. Defect testing helps eliminate if not greatly reduce the number of false positives that vulnerability scanning alone can produce.
Exploits are “weaponized” vulnerabilities and may consist of more than one of what’s called an “exploit chain”. “Weaponized” simply means that a program has been written to leverage the known vulnerability in the software, i.e. make it actionable.
Often a bad actor will chain together seemingly harmless vulnerabilities that, when executed together, are exploitable on a given system. That’s why it’s important to find all the defects in a system—whether they are known or unknown vulnerabilities.
The current application security market is very reactive. Tools like Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) look for known weaknesses and known vulnerabilities and exposures. While this is good, you also need to consider that this methodology only represents a small portion of your total code. There’s a very large portion of your software that’s not being tested with vulnerability scanning alone.
Mayhem, through the use of generational fuzz testing and symbolic execution, is a Dynamic Application Security Testing platform that exercises the rest of your code, autonomously generating new test cases that work the various paths through the code that isn’t being scanned by the current market tools.
Mayhem helps find potential vulnerabilities and potential zero days (meaning the vendor has had zero days to patch the vulnerability). Mayhem covers defect testing, vulnerability scanning, and more in one tool, taking each defect it finds and testing it three times to verify that it is in fact a vulnerability.
Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.
Thank you for subscribing!