As application inventories have become larger, more diverse, and increasingly complex, organizations have struggled to build application security testing programs that are effective and scalable. New technologies and methodologies promise to help streamline the Secure Development Lifecycle (SDLC), making processes more efficient and easing the burden of information overload. In the realm of automated web application testing, today’s technologies fall into one of two categories, Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). SAST analyzes application binaries or source code, detecting vulnerabilities by identifying insecure code paths without actually executing the program. In contrast, DAST detects vulnerabilities by conducting attacks against a running instance of the application, simulating the behavior of a live attacker. Most enterprises have incorporated at least one SAST or DAST technology; those with mature SDLCs may even use more than one of each. In the past year or so, industry analysts and product vendors have become enamored with so-called “hybrid analysis” technologies. Hybrid techniques aim to correlate the results of SAST and DAST to dramatically expand dynamic coverage, prioritize the combined set of results, and reduce both false positives and false negatives. This whitepaper will examine each of these claims to give consumers technical insight into whether hybrid technologies can realistically live up to the hype. Several observations will be described in the following sections:

Hybrid analysis may expand dynamic coverage, but the lack of application context limits its effectiveness.
The challenge of reliably generating URL-to-source mappings, coupled with the existence of URL rewriting, undermines the accuracy and usefulness of vulnerability correlation.
Hybrid analysis does not reduce false positive rates; rather, it lulls users into a false sense of security by suggesting that non-correlated vulnerabilities are false positives.
Correlation should not be equated with exploitability. Vulnerabilities should be prioritized based on severity and business impact, not based on how many scanners are capable of detecting it.

Download thefull whitepaper.

Veracode Security Solutions

Static Analysis Tool Penetration Testing Tool Static Code Analysis Vulnerability Scanning Web Application Testing Software Testing Tools Source Code Security Analyzer Software Code Security Application Testing Tool Source Code Analysis Code Review Tools

Veracode Security Threat Guides

Prevention of SQL Injection Cross Site Scripting Vulnerabilities CSRF Attacks LDAP Injection Mobile Code Security

Chris Eng is Chief Research Officer at Veracode. A founding member of the Veracode team, he is responsible for all research initiatives including applied research and product security, as well as advising on product strategy and M&A. Chris is a frequent speaker at industry conferences and serves on the review board for Black Hat USA. He is also a charter member of MITRE's CWE/CAPEC Board. Bloomberg, Fox Business, CBS, and other prominent media outlets have featured Chris in their coverage. Previously, Chris was technical director at Symantec (formerly @stake) and an engineer at the National Security Agency. Chris holds a B.S. in Electrical Engineering and Computer Science from the University of California.

Whitepaper: A Dose of Reality on Automated Static-Dynamic Hybrid Analysis

Veracode Security Solutions

Veracode Security Threat Guides

Related Posts

Software Liability Comes to the EU: Navigating New Compliance Challenges

Introducing Veracode Risk Manager: A New Chapter in ASPM Built for Scale

Revolutionizing Risk Management in Application Security