In this final post of Your AST Guide for the Disenchanted, series, we’ll share why SCA and AFT are two ideal solutions for transforming your DevOps workflow to a DevSecOp workflow.

How Does SCA and AFT Complement Each Other?

Here’s how they fit together.

Software Composition Analysis (SCA)

Advanced Fuzz Testing (AFT)

Description

Generates a bill of materials for applications and the corresponding known vulnerabilities within them.

Executes uncommon and unknown attack patterns against applications and monitors for anomalous behaviors. Anomalous behaviors, such as memory leaks, infinite loops, and crashes are a sign of underlying vulnerabilities

Approach

Black Box

Grey-box - meaning it can test with both access to code and without

Application State During Testing

Non-running State

Running state

Accuracy

High

High

Vulnerability coverage

Known

Unknown and zero-days

SDLC Phase

Design

Development

CI/CD

Pre-Deployment and post-deployment (vendor dependent); AST solutions integrated earlier in the SDLC is desired for DevSecOps. Studies have shown testing early and often manages unexpected remediation costs and effort. 

Pre-Deployment and post-deployment; AST solutions integrated earlier in the SDLC is desired for DevSecOps. Studies have shown testing early and often manages unexpected remediation costs and effort. 

Remediation Actionability

Medium-High

High

DevSecOps Best Practices

Offer a whitelist of code components developers can source from before development begins

Integrates as a part of developer workflows to share results as a part of the build process

Why is the SCA-AFT combination significant?

The combination of these technologies offer a comprehensive coverage of two significant types of application security risks: known and unknown vulnerabilities. Implemented correctly, they enable security teams to take a proactive approach to application security that allow organizations to stay ahead of the threat landscape. 

What are the key attributes to consider in an AFT solution?

Market observers are hedging their bets, and they’re predicting that 2020 is the year of fuzz testing due to several significant advances from its former predecessors -- random fuzzing and grammar-based fuzzing. Here are the minimum set of criteria to consider when evaluating AST solutions:

• Accuracy
• Scale/Speed
• CICD Integration
• Automation
• Testing intelligence
• Issue reproduction
• Vulnerability detection

“People [are accepting] that integration testing is needed, unit testing is needed, end-to-end testing is needed, and now, that fuzz testing is needed.” - David Haynes, Cloudflare

{code-cta}} 

Want to learn more?

This post marks the end of the AST Guide for the Disenchanted series. To learn about the Top 3 Barriers to Fuzz Testing and how you can overcome them, read more here.

For detailed information or a demo, contact us at info@forallsecure.com.