Product of the Week: Synopsys Seeker Interactive Application Security Testing
August 11, 2021
Need to analyze an IoT web app for vulnerabilities that could leak sensitive data? Need to comply with regulations like PCI DSS or GDPR, but not interrupt your continuous integration and delivery (CI/CD) workflows? If so, you need a vulnerability seeker.
The Synopsys’ Seeker interactive application security testing (IAST) program monitors code, data flows, and memory to identify sensitive data and ensure it is not stored in files or databases with weak or nonexistent encryption. In other words, the tool not only finds vulnerabilities, but determines whether or not they can be exploited.
Through automated runtime testing, Seeker dynamically analyzes HTTP traffic; back-end connections; and open source, third-party, and custom application code to separate false positives from identified vulnerabilities. It tests application components including:
- Platforms & Runtimes like Java and .NET
- Databases like NoSQL and SQL
- Applications Types like JSON, RESTful, Mobile, Web APIs, etc.
- Cloud Platforms like Azure, AWS, Google Cloud, etc.
Through features like parameter identification, the tool then isolates components like unused parameters and fills them with malicious values to determine whether the code could be used as a backdoor for attacks.
Risks to sensitive data are presented to testers in a unified, real-time view that contains technical explanations of all detected vulnerabilities. The tool further offers context-based remediation instructions and sample code fixes, helping reduce the time required DevOps for teams to adjust the most at-risk portions of a design.
The solution, which Synopsys claims is “more accurate than traditional dynamic testing,” also integrates binary analysis from Black Duck Software for open-source vulnerability, versioning, and licensing coverage.
The Synopsys Seeker IAST Action:
For CI/CD and DevOps deployment, Seeker’s native integrations and web APIs allow it to be added to existing build servers and test tools whether the application is on-premise, cloud-based, or containerized. This allows the tool’s runtime analysis and instrumentation techniques to be implemented in the QA and testing phase of the software development lifecycle up to production deployment.
When used to uncover attack vectors leading to sensitive data, testers begin by labeling data such as credit card information, usernames, and passwords – or anything that falls under the umbrella of regulations like PCI or GDPR, for example. Seeker agents are then deployed at each application node (such as containers, VMs, and cloud instances), which track every action performed by the app. These agents are supported by an automated URL mapping utility that generates an encompassing test coverage plan.
The agents then perform a line-by-line analysis, examining the interaction of code, sensitive data, and hundreds of thousands of HTTP(S) requests that provide comprehensive coverage of application components. The HTTP request monitoring helps isolate false positives from true vulnerabilities, which Synopsys says reduces the false positive rate to less than 5 percent compared to an average rate of 20 percent for alternative processes.
Seeker’s test results are displayed in a comprehensive dashboard that provides compliance scores or ratings against the OWASP Top 10, PCI DSS, GDPR, and CWE/SANS Top 25. The dashboard also displays alerts when applications are at risk of exposing sensitive information.
Seeker is also available in an unobtrusive passive monitoring version
Getting Started with the Synopsys Seeker Interactive Application Security Testing program
Those interested in learning more about the Seeker IAST tool can access a variety of resources from the Synopsys website, including general FAQ guidance to IAST, an eBook entitled “Interactive Application Security Testing: A Buyer’s Guide,” and case studies that cover how to integrate an IAST into existing CI/CD frameworks. It’s also available with eLearning that provides hands-on help and training for developers.
- Synopsys Seeker IAST Product Page: www.synopsys.com/software-integrity/security-testing/interactive-application-security-testing.html#tab3
- Synopsys Seeker IAST Data Sheet: www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/interactive-application-security-testing-datasheet.pdf
- Interactive Application Security Testing: A Buyer’s Guide: www.synopsys.com/software-integrity/resources/ebooks/iast-buyers-guide.html
- Seeker PCI DSS Compliance Guide: www.synopsys.com/software-integrity/resources/ebooks/pci-dss-compliance-guide.html
- Seeker Demo Scheduling Form: www.synopsys.com/software-integrity/security-testing/interactive-application-security-testing/demo.html