Security at the Source: Static Application Security Testing

May 12, 2014 in Cyber Attacks
application security testing

Cybercrime is often little more than a battle of wits, and much of that battle is focused on the bad guys finding and exploiting vulnerabilities in an web application that the good guys missed. Poorly or hastily written code can leave weak points for hackers to exploit, often to great effect. While a developer’s goal is usually to create a great app, sometimes security takes a backseat to style and function. Even the best and most security-conscious developers can still miss things, which is why the option of being able to automate a 100% comprehensive review of every app on your website is invaluable.

The Devil is in the Details

The security landscape is littered with massive security exploits that were traced back to simple mistakes in coding. Even the recent massive Heartbleed exploit, which affected the security of almost the entire internet, was traced to a few mistakes years ago by one of the many volunteers who helped create the open source technology.

Even more troubling: it now appears that hackers were aware of and actively exploiting that mistake for nearly two years before security experts discovered it. And who knows how much damage and havoc they managed to cause.

That’s why protecting your code from exploits is so critical. Most websites are really just a collection of different apps and plugins developed by third parties, and the security of your website depends on how careful and skilled those third parties are.

Identifying Your Vulnerabilities

To tackle this problem and shut down yet another point of attack, SiteLock recently added something called TrueCode to its arsenal. TrueCode uses Static Application Security Testing, or SAST, to peer as deeply as possible into the source code of the applications you use on your website, and then map what it finds. Those results are then delivered to you in a simple report that outlines the severity of any findings and what you can do about them.

It’s a powerful and important way to see how your applications are currently working, what other applications they interact with, and what vulnerabilities they could be creating. And it can even identify critical vulnerabilities and mistakes before you even launch the app, denying hackers the opportunity to exploit it.

As SiteLock put it “TrueCode is like having a hacker proofread your code.” And that’s a fundamental pillar of all security. Most vulnerabilities are small, isolated, and hidden from the untrained eye. But when you have experts go through that code, line by line, from the perspective of a hacker, you have a much better chance of finding and fixing that tiny error that could blow a massive hole through your security. And your business.

And it’s not as if TrueCode has to interrupt your business or website to complete this detailed probe. TrueCode actually takes a copy of the application code and does all the testing in its own cloud-based lab. Exactly how security should be – an enabler and not a disrupter or inconvenience. Your customers and your website will never notice the difference, but they will definitely appreciate it.

There are many simple rules to security – it should always consist of multiple layers, it should never stand still, and we should always try to look at website security from the perspective of the hackers. TrueCode hits on all counts. Contact SiteLock today and learn how to integrate TrueCode into your web development workflow.

Update: SiteLock has been recognized by Gartner as part of its magic quadrant for Application Secuirty Testing. Get the full report and learn what makes TrueCode so noteworthy.

Google Author: Neal O’Farrell

Latest Articles
Follow SiteLock