Background
ACME Company outsourced a significant portion of its software development to an external vendor. As mandated in the Statement of Work (SoW), a Static Application Security Testing (SAST) scan must be performed before any code is delivered. However, when ACME conducted a penetration test on the delivered code, they discovered numerous security vulnerabilities, raising concerns about the effectiveness of the SAST process at the development company.
Objective
To ensure that the SAST process at the development company is effective and aligns with ACME Company's security standards.
Steps Taken
1. Engagement to Review SAST Process
ACME engaged Blueinfy to review the SAST process at the development company. The goal was to understand why the SAST scans had failed to identify vulnerabilities that were later found during penetration testing.
2. Questionnaire Development and Submission
A comprehensive questionnaire was developed, covering various aspects of the SAST process. At a high level, following categories were covered in questionnaire
• Application details
• SAST tool/product
• Scan profile
• Rules and their updates
• Reporting
• Execution method
• Scan strategy
• Integration with code repository
• Frequency of scans
• Team responsibility (RACI)
• Finding tracking
• Process for handling false positives/negatives
The main intention here was to gather information about the SAST process, tools used, configurations, and practices followed by the development company. The questionnaire was submitted to the development company, requesting comprehensive responses.
3. Interviews for Clarification
After receiving the answers, a detailed analysis was performed and follow-up interviews were conducted to clarify responses and delve deeper into the specifics of the SAST process.
4. Findings and Diagnosis
Improper Configuration: The review process revealed that the SAST scanner was not properly configured, leading to the scans missing vulnerabilities. This misconfiguration resulted in SAST scans showing no significant findings.
Old Rules: The server where the SAST tool was configured could not connect to the internet. This measure was implemented to ensure that the source code did not get transmitted over the internet. Consequently, the SAST tool failed to connect to the server to retrieve the latest rules.
5. Initial Adjustments
Scan Profile Change: The scan profile was adjusted to ensure it was comprehensive and aligned with industry best practices. This reconfiguration aimed to improve the scanner's ability to detect relevant security issues.
The firewall rule was updated to allow the server to connect to the vendor's server and retrieve the latest updates for the rules.
6. Handling False Positives
Increased False Positives: Following the initial changes, the SAST scanner began generating results, but there was a significant increase in false positives. This overwhelmed the development team and made it challenging to identify actual security threats.
Further Refinements: To address the issue of false positives, the scan profile was refined further. The focus was shifted to report only a few high-priority categories with high accuracy, ensuring that the identified issues were both relevant and critical.
Outcome
The refined scan profile started producing actionable results, significantly reducing false positives and highlighting genuine vulnerabilities that needed to be addressed.
By thoroughly reviewing and adjusting the SAST process, ACME Company ensured that the development company could effectively use SAST scans to identify and mitigate security vulnerabilities. This enhanced approach not only improved the security posture of the delivered code but also built a stronger collaborative relationship between ACME and its development partner.
Recommendations
1. Regular Audits
Conduct regular audits of the SAST configuration and process to ensure ongoing effectiveness and rule updation.
2. Continuous Improvement
Implement a continuous improvement cycle where feedback from penetration testing and other security assessments informs ongoing adjustments to the SAST process.
3. Defense in Depth
It is important to have multiple programs in place. Relying solely on SAST/DAST or penetration testing is not sufficient for mission-critical applications. A combination of all these programs is essential. Insights gained from one program should be used to enhance and train other programs and tools.
4. Training and Awareness
Provide training to the development company on the importance of proper SAST configuration and how to manage false positives effectively.
Conclusion
Through a comprehensive review and iterative adjustments of the SAST process, ACME Company ensured that their outsourced development partner could deliver secure code that meets ACME's security standards. This proactive approach not only mitigated potential security risks but also strengthened the partnership with the development company.
Article by Hemil Shah