Static Application Security Testing at Scale 

Posted On

by

Software security requires a holistic view across vast ecosystems of smaller systems, each with its own code set and associated vulnerabilities that need to be prevented or managed.  

Today’s embedded systems are not monolithic, they are systems of systems, including sensors, actuators, controllers, interfaces, network switches—the works. Consider the many systems running automobiles, industrial manufacturing equipment, farming equipment, medical scanners, airplanes, and more. Even something as small as smart thermostat consists of multiple systems: the thermostat itself, the sensors that detect temperature or carbon monoxide, and the enterprise system that connects to them.  

Embedded Layers 

On the embedded side, some of these systems run on bare metal processors, others on Real-Time Operating Systems (RTOS), open source or not. Zephyr is very popular lately, as are VxWorks and QNX, and some run on Linux, Windows, you name it. Each of these systems contains first-party code that was purpose-written for the device, second-party code built through outsourcing, and third-party code that was purchased—for example a Bluetooth stack, or maybe LoRan logic. 

Infrastructure Layers 

On the enterprise side, there will be Infrastructure-as-Code (IaS) that drives IT layers in the cloud or on-premise. Kubernetes, databases, likely some artificial intelligence, business intelligence, and many more IaS layers help the business make decisions.  

From an implementation perspective, you will have a host of different languages that are used. From the embedded side upwards, the system will likely be based on C, maybe C++, possibly some Java or C# components, which are popular languages for embedded systems as they make programming easier. There may also be JavaScript, possibly others. Maybe there are even some components using up and coming languages like Rust and Go. Of course, there is also always some Python somewhere. 

All combined, these systems-of-systems can span hundreds of millions of lines of code. That may be a large number, but a car by itself has 100M lines of code. Combine that with the connecting enterprise systems, and maintenance systems, and your reach staggering amounts of code. 

Testing Layers 

From a development tooling perspective, it would be nice if all these systems used the same tools for source control for defect tracking as an Integrated Development Environment. But most of the time these systems have been built up over a longer period by multiple teams, so there will be a mixture of tools to contend with. 

How does one approach product security in these systems of systems, especially when there are so many layers of protection to apply? Application security testing requires many different technologies, from Static Application Security Testing (SAST) to Dynamic Application Security Testing (DAST), through Interactive Application Security Testing (IAST), to Software Supply Chain Security (SSCS) and Software Composition Analysis (SCA).  

And even within each of these sections, say for example SAST, there are often different tools used.  

Security and Safety Requirements Layers 

CodeSecure CodeSonar is known for its depth in scanning C, C++ as well as Java and C# code, finding security defects as well as standards violations (such as MISRA, or JSF). However, other tools would be required to scan artifacts that are IaC-based. In its latest release, CodeSecure has added code smell detection for additional languages such as Kotlin, Go, Rust, JavaScript, TypeScript, and Python. Still, there is usually a mixture of SAST tools needed to build a complete application security suite. 

So, to run a holistic application security program for a decent size application will require a suite of tools, each providing valuable information. Regardless of the number and type of testing tools used, this information needs to be distilled, charted over history, summarized, reported, and utilized to make decisions to manage risk, and to track time-to-market.   

Application Security Posture Management 

This is where Application Security Posture Management (ASPM) comes in. 

Managing risk in these multi-layered systems requires all this information to be distilled and presented to decision makers, who then orchestrate actions, where required, in the appropriate tools to manage risk. That is the basic underpinning of Application Security Posture Management. This is where platform solutions like ArmorCode shine. It allows projects to pull together lots of valuable information from multiple sources, across multiple projects and domains.  

If we take the car analogy from earlier, ASPM can group the safety critical aspects of the car together and report on them. It can pull the user-experience parts together, same for communication, and advanced driver assist. Enterprise connection services can be similarly grouped and managed. The management team can create various reports and set policies that are layer specific and then report up to the executive layer. 

Combining and tracking this information is crucial in today’s age of ever-increasing cyber security regulations. The US, Europe, Japan, Korea, and many countries are tightening the rules that product developers have to follow when developing software. 

Beyond the collection and management of information, ASPM also allows decision makers to trigger actions in different tools,  all from a single pane of glass. 

Let’s say you have a component in your system that is delivered in binary form by a third party. And through binary SCA, you discover that, due to unfortunate timing, it contains the wrong version of ‘xz’ and it is susceptible to CVE-2024-3094. You need to create a ticket to the team that manages this component. Without ASPM, this would mean that you need to figure out how to raise this ticket, figure out whether this is JIRA, or IBM ELM, or even Bugzilla. An ASPM offering, like ArmorCode, centralizes that project-based information for you and raising a ticket is a click of a button. 

Conclusion 

As software systems become increasingly complex and interconnected, ensuring robust security measures is paramount to safeguarding against cyber threats and meeting regulatory requirements. Application Security Posture Management (ASPM) emerges as a critical solution to streamline security practices, consolidate information, and empower decision-makers in managing risks effectively across multi-layered systems. 

To stay ahead in the constantly evolving landscape of software security, it is essential for organizations and software developers to explore the benefits that ASPM tools offer. By centralizing and presenting security insights comprehensively, ASPM not only enhances security posture but also simplifies the process of identifying and addressing vulnerabilities promptly. Take the proactive step today to enhance your software security practices by delving into the world of Application Security Posture Management. Empower your teams, strengthen your defenses, and ensure the integrity and resilience of your software systems in the face of emerging threats. 

Other Posts

Check out all other blog posts and stay informed.

view all posts