November 27, 2020

Code Reviews

Strategy for successful AppSec program include the use of both automated SAST and DAST scanners, as well as manually testing done with an ever evolving checklist to get more consistent results across multiple applications and multiple AppSec personnel.

Cons

Automated Tools

  • The scanner must allow for tuning and customization to reduce false positives and negatives.
  • Code coverage is really dependent on what languages, frameworks and standards it covers.
  • Can be expensive to get a tool that satisfies the above cons.
  • The scanner doesn’t understand application logic.

Manual Testing

  • The unicorn problem; In order for manually testing to be effective an individual must be highly experienced with the applications languages and frameworks AND also be an effective attacker. There aren’t many unemployed (available) unicorns around that you can hire.
  • Different AppSec personnel will produce different reports, resulting in inconsistent findings.
  • Overhead with manual testing and writing up findings or creating Defects in the Agile tool.
  • Manual review of apps with a galactic shit ton of code is limited to only targeting critical and high severity functions.

Pros

Automated Tools

  • Depending on how much money you spend, a scanner can be tuned for to meet your organization’s needs.
  • Good for detecting low-hanging fruit and hundreds of other vulnerabilities, including SQLi, XSS, and CSRF
  • Integration into CI/CD pipeline.
  • Ability to be scheduled for scanning after hours.
  • If you shift left enough, it can help with security awareness and offer a way to better educate developers who use a security plugin for their IDE.

Manual Testing

  • Deep dive into code to reveal errors in application logic, design, and architecture most automated tools can’t find.
  • Validate suspected false positives and false negative findings from the scanners and only give the developers actionable findings.