Application Security Testing Approaches Part 2
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> We're going to continue our discussion of
00:00
application security testing approaches.
00:00
We're going to talk about
00:00
some very specific techniques
00:00
>> that fall into the white box
00:00
>> and first black box testing variety.
00:00
>> In this lesson, we're going to talk about
00:00
some more differences between
00:00
active and passive forms of security testing,
00:00
we want to describe the differences
00:00
among security testing approaches,
00:00
and then also talk about
00:00
appropriate business use cases
00:00
for various testing approaches.
00:00
We really want to talk about
00:00
two distinct types of testing approaches.
00:00
The first is static application security testing.
00:00
This is a form of white box testing.
00:00
In static application security testing,
00:00
a program or a pair of programmers
00:00
>> will actually look at the code itself
00:00
>> for an application.
00:00
>> Now, these people,
00:00
they require a very specific skill set.
00:00
They need have strong coding development backgrounds,
00:00
as well as a lot of understanding of code security.
00:00
One other important thing is, whoever's doing this
00:00
>> static application security testing
00:00
>> should not be the developer.
00:00
There should be a segregation of duties
00:00
between development and testing.
00:00
Vulnerabilities will not stand out to the person
00:00
>> who wrote the code as much as
00:00
>> they will a separate person
00:00
>> who brings fresh eyes to it.
00:00
But this is a form of white box testing.
00:00
The person is looking right at the code,
00:00
the application is not running,
00:00
they have full knowledge and availability.
00:00
This is a good way to identify
00:00
>> a lot of threading issues,
00:00
>> issues with the codes' quality,
00:00
if there is a dead code,
00:00
maybe code is not really working or doing,
00:00
serving any real purpose within the application.
00:00
A person who's doing this kind of testing
00:00
>> will also be able to identify
00:00
>> weak cryptographic functions
00:00
>> that may compromise the integrity of encryption
00:00
>> in transit and the rest that may
00:00
>> happen within the application.
00:00
They might be able to begin identifying
00:00
other web application risks
00:00
>> such as injection issues.
00:00
>> On the contrast that
00:00
>> with dynamic application security testing.
00:00
This is a black box method.
00:00
The person is really testing
00:00
>> not the source code itself,
00:00
>> but they are basically testing the inputs and outputs
00:00
>> and seeing how the application behaves
00:00
>> in real time while it's running.
00:00
>> This can be a good idea to see
00:00
>> how redundant your application is
00:00
>> to various attacks from the outside.
00:00
>> Now, dynamic application security testing
00:00
>> is really good for identifying
00:00
>> potential cross-site scripting
00:00
>> vulnerabilities in the application,
00:00
whether it can withstand buffer overflow attempts,
00:00
many of the other types of risks that come
00:00
>> with application security that we talked about
00:00
>> in all our modules on the OWASP Top 10.
00:00
>> Another thing that it's really good for
00:00
is you can really see
00:00
>> how the application handles different types
00:00
>> of malware using doing malware analysis.
00:00
You can also identify whether they're missing patches
00:00
>> so that they discover external vulnerabilities
00:00
>> to the application that need to be addressed.
00:00
You can also see whether there are any issues
00:00
related to Session Management.
00:00
Can the session between the user and the application
00:00
>> be compromised in some way?
00:00
>> Another form of application security testing
00:00
that deserves mentioning is fuzzing.
00:00
Fuzzing or fuzz testing is an automated approach.
00:00
It's a technique that involves putting a lot of invalid
00:00
>> or unexpected or even random data inputs
00:00
>> into the application just to see how it'll respond.
00:00
Some applications, if not well-designed,
00:00
will crash or enable
00:00
the user to do unexpected behaviors,
00:00
which you really don't want
00:00
when the application is in production.
00:00
It can help expose potential issues with memory.
00:00
Fuzzing, it's a very easy form of testing and
00:00
it helps expose different security issues
00:00
related to the application and how it performs.
00:00
Quiz question.
00:00
>> Which of the following is an example
00:00
>> of white box testing techniques?
00:00
>> Fuzzing, DAST, or SAST?
00:00
If you said SAST,
00:00
static application security testing, you're correct.
00:00
That's one where a very knowledgeable developer
00:00
who's knowledgeable about code and security,
00:00
looks through the code to identify
00:00
potential vulnerabilities and inefficiencies.
00:00
In summary, we continue our discussion of
00:00
passive versus active testing techniques.
00:00
We talked about different levels
00:00
of application security, visibility,
00:00
>> and then we talked about
00:00
>> the use case for different methods,
00:00
we talked about how no code review is good,
00:00
before the application is even live in production,
00:00
but when you have a running application,
00:00
want to see how it's performing you,
00:00
that's when you might use
00:00
the dynamic application security testing.
00:00
Then how fuzzing can be used
00:00
>> to also see issues regarding vulnerabilities
00:00
>> that are impacted by how the application behaves.
00:00
>> We've gone through a number
00:00
of application security testing methods.
00:00
I'll see you in the next lesson.
Up Next
Instructed By
Similar Content
