In order to discover software security vulnerabilities and defects, and ensure the security and reliability of the application system, it is necessary to do application detection for the Web system, identify the weak links in the architecture of the Web application, so as to avoid easy attacks by malicious attackers.
The main detection technologies in the main market are DAST, SAST, RASP and IAST, each of which has its own advantages and disadvantages. Let’s pay attention.
DAST, an acronym for Dynamic Application Security Testing, is a Dynamic Application Security Testing technique.
This analysis technique analyzes the dynamic running state of an application during test or run. It simulates hacking to dynamically attack the application and analyzes the response of the application to determine whether the Web application is vulnerable to attack. Therefore, this technology mainly uses penetration testing to discover the potential risks of the application system. Tools commonly used by security engineers, such as AWVS and AppScan, are based on the DAST principle.
SAST is an acronym for Static Application Security Testing.
The technical practices of SAST tools can be roughly divided into the following categories:
(1) Regular matching: Cobra, Raptor;
(2) Based on grammar tree: represent tool P3C,Fireline;
(3) The Java language can be based on class files: represents the tool Findsecbugs;
(4) Based on control flow, data flow, function call relationship, etc. : There are many commercial SAST products on the market.
, of course, the effect is gradually increasing, the difficulty is also increase gradually, in order to achieve reduction of the code data flow, control flow and function call, will need to compile the front-end module fully realized again, based on the intermediate code to restore the data flow and control flow, etc., general process mainly through lexical and syntax analysis, semantic analysis, intermediate code generation, Data flow, control flow, function call relation and so on are generated. On the basis of these analyses, defect matching detection is carried out.
SAST technology based products with a high rate of false positives, long time, the memory consumption, high characteristic, the reason is also associated with this complex process, the various security vendors themselves based on the analysis of compiler principle related content code layer, also needs for different languages for different syntax tree to increase the complexity and time cost. And reduction of the data flow and control flow is difficult to achieve 100% accurate, analysis of more than 1 million lines of code at the same time, the amount of resources (mainly) on memory consumption high, high complexity, data flow and control flow of the build process takes long, naturally led to a high rate of false positives SAST products and time-consuming for the two problems difficult to solve. Even when integrated into an IDE, developers may not be able to tolerate long waits.
Wukong software source code Static Analysis Tool (SAST) independently developed by China Science & Technology Group Tianqi supports the detection of security vulnerabilities and defects in software products written in C/C++, Java, Python, JS, HTML, PHP and other mainstream programming languages. Its detection “deep”, “fast”, “accurate”, “wide range” and make up for the SAST tool can not support domestic operating system and domestic chip shortage, support Ubuntu, CentOS mainstream Linux environment deployment; Support bid-winning Kirin, Galaxy Kirin and other domestic operating systems deployment; It supports distributed deployment of high concurrent users and domestically developed testing tools.
IAST: Interactive Application Security Testing.
Near-real-time detection, extremely low false positives, locating lines of code, showing spotless calls, and so on, fit well with the DevOps concept. The product will also try to reflect the smudge call process, the number of lines of code, different from DAST, partial code layer information.
Provides a platform for code reviewers and reviewers to build and adapt powerful, highly customized queries to interactively question their unique code base and environment.
Analysts with more complex code exploration needs can bypass common sources of false positives by creating highly specific and targeted queries with comprehensive CPG graph maps. Examples include the ability to identify any problems in code where user input is properly protected, and the presence of any indirect data flows where user input is not directly used by the receiver.
RASP: Runtime Application self-protection
Introduced by Gartner in 2012. It will protect the program like a vaccine injected into the application, application integration, it intercepts all calls from the application program to the system, can detect and block security attacks in real time, so that the application program has self-protection ability, when the application program is actually attacked, it can automatically defend against it.
Each technology has its own advantages and disadvantages, and only the right tool is the best tool.
Software security The last line of defense for network security
Zhongke Tianqi company is strongly promoted by the Institute of Computing Technology of Chinese Academy of Sciences
With the international leading independent research results of cas institute of Computing science
“Software Code Vulnerability Detection and Repair Platform (Wukong Wukong)”
For the foundation of the establishment of high-tech enterprises