Today is an exciting day for Sqreen. We’re adding a brand new slice to our Application Security Management platform: a security testing solution that helps security and engineering teams better secure their code.
Since the beginning, Sqreen’s mission has been to make robust application security available to everyone, with the flexibility, transparency, and depth needed in modern environments. This has been our guiding light behind everything we’ve built. It’s gratifying to see that come together with our IAST and in recognitions from the industry like our recent selection as one of the ten finalists of RSA 2020’s Innovation Sandbox Contest.
Today, Sqreen blocks over thirty million attacks every month (and growing at a fast pace!) and allows security teams to have increased visibility into their production applications. But what if there’s more we could do? What if we could leverage all the in-app security signals gathered from Sqreen’s sandboxed microagents to help teams also shift security left and prevent vulnerabilities from reaching production in the first place?
This is what Sqreen’s IAST is all about, and it’s what we’re releasing in private beta today!
The issue with existing application security testing solutions
Shifting left and finding vulnerabilities early is not a new concept. But as the evolution of the OWASP top 10 shows, the most critical vulnerabilities haven’t changed a lot over the last ten years. Why isn’t it possible to find these vulnerabilities in an automated way already?
First, it’s hard to identify which vulnerabilities actually matter. You can use Static Application Security Testing (SAST) that checks your code for known patterns of weaknesses. This has the advantage of having access to your code directly, but lacks an understanding of how the code will run in production. Then there’s Dynamic Application Security Testing (DAST), which sends attack patterns on a built application. But as DAST sits fully outside the application and code, there’s a lack of code context and understanding of how the application behaves with these incoming attacks. The lack of context with SAST and DAST solutions will flood teams with hundreds of vulnerabilities, most of them being either false positives, or vulnerabilities that no one would be able to exploit. And then, of course, these approaches will only be able to catch known vulnerabilities as they leverage known patterns.
Second, testing slows teams down. It is the very nature of the checks that traditional Application Security Testing (AST) tools do – based on patterns/signatures – that make them slow to run. Most of these AST tools need to run on the complete app/codebase (including third-party assets) and can take hours to complete. Companies invest a lot in making their CI/CD pipelines fast to increase speed to market. Slowing them down with laggy security checks is counter-productive.
Third, it’s grueling work to fix the code. It’s hard for teams to triage the identified issues and prioritize the remediation, especially in a fast-paced environment where teams ship code on a daily/weekly basis. We’ve talked to dozens of security teams that built sophisticated AppSec programs that successfully identified hundreds or thousands (if not more) of vulnerabilities across their services but aren’t able to properly prioritize or fix them. The backlog of vulnerabilities just keeps on increasing after every release.
Finally, AST solutions are complex and challenging to set up and automate. They require security experts to integrate but also read and leverage the results. DevSecOps won’t be achieved if we don’t close the gap between developers and security teams.
So what is a good alternative?
Interactive Application Security Testing (IAST) to the rescue
What is IAST?
Interactive Application Security Testing offers a modern approach to Application Security Testing. It leverages microagents sitting directly inside the application to stress the application and monitor how it behaves while being stressed. This uncovers vulnerabilities without generating false positives. Check out our Learning Center resource on IAST if you want to learn more about this technology.
So is every IAST the same? No! IAST is a new category of solutions; not every IAST works the same way and offers the same value. Depending on the implementation, some IASTs will be able to leverage different amounts of execution context, which will impact their effectiveness. If you don’t instrument your code at runtime you won’t understand how it reacts to incoming attacks. So let’s have a look at how Sqreen’s IAST works.
How Sqreen’s IAST works
Sqreen leverages microagents that are easily installed into an application. It just requires you to add a simple dependency to your application. Read more on our Quick Start Guide. No code modification is required. Sqreen’s IAST then automates the standard pentesting phases: the mapping phase and the attack phase.
1 – The mapping phase
Once you deploy your app in a testing or production environment, the microagents will start to learn from your QA tests or production traffic. It will create a full attack surface of the target that will include: endpoints, routes, inputs metadata, and metadata. Sqreen only needs to collect metadata and will never collect full queries, parameter values, etc. Data privacy is a core pillar of Sqreen, and mapping the attack surface should not come at the cost of privacy.
This mapping phase can be very quick i.e., a few minutes, depending on your traffic. One single valuable endpoint (with valuable inputs) mapped is enough to start seeing results. The IAST doesn’t need a full map of the application to start getting useful data. Of course, the bigger the mapped attack surface, the greater the chance to reveal vulnerabilities. The more you know about your target, the more efficient you are.
2- The attack phase
Your first attack can be launched as soon as the microagent maps its first valuable endpoint. Sqreen knows where to send inputs and what they expect as data. By being inside the application, with full knowledge of the runtime context, Sqreen doesn’t need to rely on an “oracle” or sensors to try to predict if a vulnerability was found and is false positives free.
How Sqreen’s IAST works: uncovering a SQL injection vulnerability
In the mapping phase, Sqreen will identify an endpoint that triggers SQL queries. In the attack phase, Sqreen will send queries to endpoints, with valid parameter names and forged data aiming at finding SQL injection vulnerabilities. The microagent will monitor the application from the inside to detect if one of the attacks is changing the structure of the SQL query. If it’s the case, Sqreen collects a stack trace of the vulnerability and shows it inside the dashboard.
The benefits of Sqreen’s IAST
Find critical and exploitable threats
Sqreen’s unified Application Security Management Platform leverages data from Sqreen Protect and Sqreen Observe to improve the effectiveness of Sqreen Test. Traditional external scanners send thousands of attack patterns because they have very limited knowledge of the targeted application and its expected inputs. Sqreen has a much better understanding of how the application works and identifies vulnerabilities by leveraging the runtime context, without the noise of false positives. And by not having to rely on patterns of known vulnerabilities, Sqreen will also uncover unknown ones (zero-days). Sqreen’s IAST will identify SQL injections, NoSQL injections, Local File Injections, Cross-Site Scripting vulnerabilities, and more.
Easily fix vulnerabilities
Priorities critical vulnerabilities that are actually exploitable by external attackers. Sqreen leverages in-app security signals to get developer-friendly remediation details that pinpoint the vulnerable line of code.
Integrate security into your SDLC
You can embed Sqreen’s agents seamlessly by default across the SDLC. Sqreen offers continuous coverage as your application evolves. By leveraging a distributed architecture with microagents inside apps, Sqreen is a lot faster in performing the tests. It doesn’t need to test application layers at the surface and can focus on the deep code vulnerabilities. By leveraging inside-knowledge of the application, Sqreen doesn’t mess with other components (like third-party code or external services) that aren’t relevant in the scope of an Application Security Testing.
Today, we’re excited to release a private beta release of Sqreen’s Interactive Application Security Testing (IAST) solution. It’s available for Node.js, and more technologies will be supported in the coming months.