The traditional tools suite of static application security testing (SAST), dynamic application security testing (DAST) and software composition analysis (SCA) are mainstays of traditional software development and release practices. SAST helps organizations detect and mitigate vulnerabilities in internally developed, pre-production source code. Many use DAST to test running applications for potential vulnerabilities and configuration errors. And SCA is used to identify vulnerabilities in open-source software and for creating a limited Software Bill of Materials (SBOM).
These practices, as part of the bigger trend of shifting security left in the software development lifecycle, fail to fully address the growing range of software supply chain threats that organizations face from open-source and third-party software use in modern software development practices.
While AST tools can help identify vulnerability and exposure risk in internally developed code and open-source libraries, they completely miss third-party software tampering, malware injections and other risks.
In a new report, ReversingLabs highlights where traditional AST tools fall short when it comes to addressing modern software supply chain risks. Here are four key focus areas from the report.
1. Traditional AST if focused on open source, which is just part of the supply chain security equation
SAST and DAST help organizations identify and address vulnerabilities in internal software and open-source libraries. But they cannot identify the emerging risks associated with today's software supply chain: code tampering, malware, backdoors and other malicious code introduced. In the attack on SolarWinds, for instance, threat actors infiltrated the company's build process, made malicious additions to approved and digitally signed code and then distributed the malware via an automated software update channel.
Such software distribution network attacks are not the only common supply chain attack vector that current AST methods fail to address. SAST, DAST and SCA approaches cannot detect risks associated with typosquatting attacks where an attacker adds malicious code to a legitimate file and tricks developers into using it by giving the modified file a name or version number very similar to the original.
Such attacks are surging. ReversingLabs’ 2022 NVD Analysis: A Call to Action on Software Supply Chain Security, showed a 289% increase in attacks on popular code repositories such as PyPI and npm over the past four years. In addition to typosquatting attacks, traditional software integrity validation tests also cannot address risks that can arise when developers bypass commit controls or when attackers leverage functional vulnerabilities in open-source code to introduce malware into an environment.
2. Traditional AST focuses on vulnerabilities, missing malware and other supply chain attacks
The main focus of AST is on testing source code for known vulnerabilities and configuration issues. Software supply chain security tools focus on malware by exposing unanticipated behaviors, code tampering, certificate misconfiguration issues, secrets compromises and other risks. The report noted:
"Traditional AST approaches rely on testing source code and open-source libraries for vulnerabilities instead of focusing on how the code behaves."
AST tools also tend to focus heavily on vulnerabilities in NIST's National Vulnerability Database (NVD), a vast number of which are associated with software from a relatively small number of legacy platform vendors. Sometimes vulnerabilities in widely used platforms are not in the NVD either because the vendor did not submit the vulnerability or because the vendor is not a CVE Numbering Authority.
In either case, the known reported vulnerabilities in NVD that SAST and DAST tools use, present only part of the overall risk picture. The NVD report noted:
"Today, the NVD does not cover the full scope of development tools and platforms that are increasingly being targeted."
3. SCA-based SBOMs provide only a limited view of software risk
SCA provides a binary analysis of open-source libraries in a software package. It can help identify known vulnerabilities in open-source components, and help organizations build a Software Bill of Materials (SBOM), based on its ability to manifest of all open-source use and dependencies in the environment. Many organizations also use SCA to address issues with software licenses and compliance.
However, as noted above, modern supply chain threats extend well beyond open-source software and vulnerabilities. ReversingLabs' State of Software Supply Chain Security 2022-23 describes in detail how organizations face threats from a variety of other supply chain attack vectors, including commercial third-party software and code repositories.
A new ReversingLabs Special Report, The Evolution of Application Security, explores the state of SCA tools (which includes Forrester's Software Composition Analysis Landscape, Q1 2023) — and how app sec is evolving to tackle supply chain risk.
End-to-end software supply chain security is key
With supply chain attacks increasing and software packages becoming larger and more complex, organizations need capabilities that go beyond traditional AST tooling, the ReversingLab report concluded. A comprehensive software supply chain security platform should include SAST, DAST and SCA — but also requires modern software supply chain security tools that provide deeper visibility.
A complete, end-to-end software supply chain security programs also needs to support workflows for the entire security organization, across development and app sec teams, as well as third-party risk teams and Security Operations Center (SOC) teams, the report concluded.
As ReversingLabs Field CISO Matt Rose notes in a recent post:
"Software supply chain security needs to be recognized for what it has become: A separate discipline within the application security ecosystem."
Learn more in ReversingLabs' new report, "Why Traditional Application Security Testing Alone Can't Mitigate Software Supply Chain Attacks."
Article Link: 3 reasons why you need to upgrade your application security testing to tackle supply chain security