Home Unlabelled Application Security and Risk (ASR) space

Application Security and Risk (ASR) space

June 01, 2022
Read
June 01, 2022

 





SCA 

Software Composition Analysis (SCA) is a scan performed on the third-party components used by the application.  The scan detects and reports security findings in those third-party components.  


The tool provides finding details including the component name, version, and remediation.  These details help developers address and remediate the issues, and write secure software.

Tooling

 Black Duck (from Synopsys) is the tool used for SCA. 




SAST :

Static Application Security Test (SAST) is a scan performed on the application source code to detect and report security findings.  Findings detected include hardcoded passwords, SQL injection, cross site scripting and others. 


The tool provides finding details including description, location (file/line #), remediation and others.  These details help developers address and remediate the issues, and write secure software.

Tooling

 Fortify (from Micro Focus) is the tool used for SAST. 



DAST :

Dynamic Application Security Test (DAST) is a scan performed on the application runtime environment to detect and report security findings.  Findings detected include hardcoded passwords, SQL injection, cross site scripting and others. 

The report includes finding description, location (URL), remediation details.  These details help developers address and remediate the issues, and write secure software.

Tooling

 App Scan (from HCL) is the tool used for DAST. 



Pen testing :


Description

Penetration test (pen test) is an authorized test to evaluate the security of a specific target such as network devices, servers, platforms, and/or applications.  In a pen test, real-world scenarios as an attacker are performed to identify weaknesses and vulnerabilities to compromise the confidentiality (e.g. unauthorized access to data), integrity (e.g. modify/delete data) and/or availability (e.g. DDoS) of the target.


There are different types of pen tests: white box, black box and gray box penetration testing.   The three types differ from the level of knowledge and access that is provided to the pen testers.  Black box testing is when only basic information, if any, is provided to the tester and white box testing will provide more background, system information and possibly source code.  Generally, Big banks performs gray box pen tests where limited knowledge of the target is shared with the testers.

Scope

pen test engagements are generally initiated on internet facing targets.  The testing frequency and schedule is managed by the pen test team.  Additionally, a pen test can also be initiated as part of a project triage as required by Information Security. 


Container security :

 

Description

Big banks uses Aqua Enterprise to provide container security - from image scanning to container monitoring and protection.  This is provided by Image Assurance and Runtime Protection, which are detailed below.

Image Assurance

Image Assurance provides scanning services to determine the health of container images – both base images and application images.  This allows:

  • CaaS Team to scan during the base image certification process
  • AD Teams to scan application images throughout the SDLC


Scans can be performed as part of the build process (e.g. integrate with Jenkins) or on the image registry.  Aqua then reports on the image compliance, which is based on the XXX defined Image Assurance Policy.  An image is non-compliant if one the following is detected: critical or high risk vulnerabilities, sensitive data, malware, image scan failed, no OS package manager


The CaaS and AD Teams are required to review the image compliance, and to address image findings.  Once remediation is implemented, a rescan must be completed to validate remediation.  Remediated findings will no longer appear on the updated scan results.

Runtime Protection

Runtime Protection provides functionality to monitor and protect containers.  Container Runtime Policies are predefined to audit and optionally restrict the runtime activities of containers.  Aqua then can prevent:

  • Non-complaint containers from running
  • Containers from executing certain runtime activities - for example, block the running of specified executables, or prevent modified executables from being executed


Aqua Runtime Protection has two enforcement modes: Audit Only and Enforce.  In Audit Only mode, Aqua generates security events without blocking the container when a policy violation is detected.  In Enforce mode, Aqua generates security events and blocks the illegitimate runtime activities from running.  


the Runtime Protection is configured to Audit Only.  As the program matures, options will be explored with stakeholders to change the mode to Enforce mode.











Tags :

No comments:

Subscribe to: Post Comments ( Atom )
Powered by Blogger.