Posts Tagged ‘Static Application Security Testing (SAST)’

This is typical scene and context you will hear before.

User make contact to help desk, yesterday still can access application, but today they encounter problem… due to developers make change and implement new functionality, and helpdesk support are not aware of it. DevOps support is challenging, in particular outsourced scenario.

For uncontrolled DevOps adoption at the rapid speed without consideration of helpdesk and users will happen and disrupt the operation. The promise of adopt DevOps and get business needed functionality at the business speed, using various continuous integration (CI) and continuous development (CD), continuous delivery and continuous deployment. With the strong believe users can aboard small, incremental changes introduced through a DevOps methodology without disruption of the business operation. Those are ideal scene. But we saw lot of large change and implemented in the bad way without coordination. For in-house developer maybe the disruption maybe less compare with outsourced due to accessible of the in-house developers team. But overall, that indicate the problem and issue where developers are not the good communicator and coordinate the smooth transition. A better approach bring in helpdesk and some user in the project line steering community group to make sure all the impact is noted and move in the manner every party can make their own contribution is the key. In the end, it is enterprise change, no just about developer developed application. Application required user to use and helpdesk to support.
For the best way is developer make use of system and tool where can provide user and helpdesk aware of what is going on, automation and integration to push all the needed information into respective group in their format of choice or what they used to. That will help to streamline and minimise the business disruption for the entire enterprise.

Feel free to contact E-SPIN for the various system and tools that we represented that capable to provide effective and efficient DevOps support for developer, helpdesk and user. From source code static application security testing (SAST), to dynamic application security testing (DAST), integrated platform, just to name some key result area (KRA) we can instant help.

Read Full Post »



With the recent Gartner published new market guide with the introduce of “container security” be part of the vulnerability management, Tenable be the only one possess that by bought over FlawCheck last year and introduce Tenable.io platform in the market, the market change again.
Tenable.io also introduce web application security (WAS) as part of the platform offering. With Container security and web application security, it now cross over to leading container security and enter into what we traditional called application security market (traditionally occupied by web vulnerability scanner and static source code analyzer vendor). Rapid7 from the past bought over NTO and enter into application security as well, by rebranding it as AppSpider product. We will expect all will catch up on the container security, most likely acquired existing player who offer it.
Technology keep changing from years, where from the past on the cloud and online, software as a service (SaaS) model, with emerge of Qualys as the leading player on that field. With the latest acquired and integration of other new technology take place, the real differentiator for major player become minimal, we can expected major vendor will try to introduce unique and specialized area and be differentiate themselves over another (take over, merger and acquisition is the obvious option for enter market rapidly) .
With application security in depth alone, traditionally Tenable do not enter in the past, where dominance by web application scanner offer dynamic , static application security testing technology (DAST, SAST) or new interactive application security testing (IAST). We can expect the market will be changing again.
Traditional vulnerability management or specialized web application scanner become more generic offering, and the price point is bring down significantly as technologies matured and more me-too product introduce in the market. Available of open sources alternative, let enterprise market who willing to paid for commercial offering being the primary target for all the commercial vendor.
We also saw the trend for traditional penetration testing tool vendor attempt to enter vulnerability management market. With the Rapid7 acquired Metasploit in the past and the recent Core Security make the vulnerability management offering.
We also see the trend for company used to offer SAST now try to enter DAST in application security field. For mobile application security testing (Mobile AST) as new technology also rising demand for today mobile application driven business.
On the other end, we saw the smaller vendor who previously focus on one tool product now day also attempt to expand their offering to large audience. Big player is extend their product with niche product/ to penetrate those previously recognize as niche as well.

Future of Vulnerability Management

Predicting for near future product-market


  • Mobile application security testing (Mobile AST) will be included in Application Security Testing (AST) tool market (together with DAST, SAST, IAST).
  • Container Security will be one of the unique, and slowly all the major player will incorporate into their offering (whether as a option or bundled).
  • Unified of vulnerability management and application security in the near future (and eliminate some of the player that can not transit over the new changing market reality).
  • Standalone and niche focus product that easy to be use continue to be play a role in the market for those who look for solving specific purpose, both generic and specialize product /tools continue to be available for those who need them.
  • Shift left (move from product security to software development) trend, more and more customer look for integrated tool to streamline the vulnerability/security fixing cycle as early as at the early development process.


  • Trend toward threat/vulnerability management (VTM) slowly emerge and recognize as single unified process (threat assessment -> vulnerability assessment -> risk analysis) to streamline the whole process for address enterprise threat/vulnerability and risk analysis / security risk management (SRM).
The future of vulnerability management suite, depend on the end user requirement. For complex enterprise requirement, will include the above unified vulnerability management suite aspect/functional module or option in the package bundled.
As you can see for the market product shift underway, if you want to make any major decision for the short term, for sure, license subscription (LS) is the way to go, since it is pointless to own “outdated product” and pay significant investment upfront that you may or may not really found it relevant to the changed market at all.
E-SPIN Group being vulnerability management, application security and penetration testing product and solution provider for over 13 years in the market. E-SPIN will continue to be active in the business domain and helping customer to make right investment that yield return of investment.
Feel free to contact our E-SPIN solution consultant for any project or operation requirements.

Read Full Post »


Application Security Testing got three core set of technology vendor, whether focus on Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST) or Interactive Application Security Testing (IAST) as the solution for target user group.

So far nope of any vendor can claim single product can address three core result area, the most is want you to buy sister product or complementary product (so, it is not single product).

To be specific, the topic focus on Static Application Security Testing (SAST), where heavy use by Development Team.

The market have range of offering, whether open source or commercial source offering. Since open source is depend on the user for adopt to it and for self /community support, we focus our topic on commercial tool, since they are paid tool and involved financial investment, we want to share some insight how to choose Static Application Security Testing (SAST) tool.

Despite recent years have more and more security team personnel is interest on the SAST, most of them lack one pre condition competency to master it well – the fundamental programming skill set, whether on Java, C/C++, .Net and the rest.

The great tool appreciate by programmer and developer, may or may not be the right tool for security officer, mainly due to core competency require to understanding the programming code. If you do not understanding the code, how can you study it and attempt to perform secure code review? purely depend on the automated tool and not programming language at all? you can imagine how the report will look like and whether or not can be answer developer question on the report founding.

As you can see, despite now days more and more commercial vendor attempt to market their product cross platform, can cover all the language, you will notice, truly development team will not really excite about it, since they are practice the one or very platform technology only. If you ask them to buy SAST tool claim to support 10 language, it will be nice to have, if that not their money. But in reality, they are maybe just focus on one platform only, in that scenario, specific SAST focus on platform will be more relevance and more importantly, cost much lower and more to the point platform support. It is much more easy to understand and use as well.

Do not get us wrong, we do not against universal static application security testing tool, it have it appeal market, in the matter of fact, we supply it too for some segment of the customers. We are focus on the perspective for development team, who need to use the development tool for not just static code analysis, but perform functionality, load, run time memory error testing as well to make sure the quality of the application, beyond application security testing only.

Once you develop the right perspective, you will much more easy to balance security and development team requirement. On top of it, remember for the rise of application vulnerability correlation (AVC) technology. Security team can keep using their dynamic application security testing tool (DAST), and let development team use their platform specific and more advanced static application security testing tool (SAST). Share the result in the Application Vulnerability Correlation (AVC) platform, dashboard and report to provide unified vulnerability management for the holistic view.

Another more costly and convention approach is invested on the enterprise grade solution, cover end to end and force all users to use the integrated solution.

Technology keep advancing in fast pace, you will notice those purpose built or platform specific tool will be update and upgrade in more fast speed compare with integrated tools.

One last area most of enterprise will forgot to invest on is the secure code review competency training for developer or security officer. It need to be competency specific and may not be product specific. One of the best way to acquire it is to subscribe for the computer based interactive training (CBT) that specific develop for the target competency area, such as secure code review for .Net, C/C++, Java and the rest.

If you have case specific question please feel free to contact E-SPIN for your case and requirement.  Whether on the dynamic or static application security testing tool or security testing, secure code review competency based CBT training program.

Read Full Post »