AdobeStock_373927171

Dynamic Application Security Testing at Cribl

July 29, 2024
Written by
Categories: Engineering

Dynamic Application Security Testing (DAST) is a type of security testing that actively exercises and inspects a web application for security vulnerabilities. A DAST scanner sends an assortment of payloads to the target application, typically through HTTP requests for web applications, then analyzes the responses and behavior to detect vulnerabilities. DAST is language and framework agnostic, allowing for security scans against any web application with careful configuration.

DAST is a major component in satisfying compliance framework controls. For example, PCI DSS (6.4.2) and NIST 800-53 (RA-5) require automated vulnerability scanning against public web applications. Scanning web applications with DAST scanners can help detect vulnerabilities, guide remediation, and provide reports as proof of meeting certain compliance framework controls.

DAST in the SDLC

At Cribl, our applications undergo regular DAST scans from various build stages to production. Scanning throughout all stages ensures that our latest features are vigorously tested and any potential security issues have been vetted before production. Triggering a scan as part of a pull request (PR) or a build step during the software development life cycle (SDLC) appears to be the obvious path forward, but it is often too cumbersome. A thorough scan of a complex application can take multiple hours depending on all the different application states. Adding this much overhead time to the build process is not acceptable. Instead of triggering scans based on PRs or a build step, we run regular nightly scans asynchronously against our application’s self-hosted, staging, and production instances. When it’s time to promote builds, we poll the latest scan results to determine satisfaction with our security requirements for release. Polling the latest scans can be as quick as a handful of API calls if seconds matter or more thorough with a security engineer review if more scrutiny is required.

Although DAST scans occur post-build, results from the latest scans are useful early in the next iteration of the SDLC. DAST complements many other tools in our security program. Shifting left in our SDLC, we integrate Static Application Security Testing (SAST), secure pattern documentation, and security training/awareness for our developers. Findings from DAST scans provide essential feedback in updating our SAST ruleset, secure code pattern documentation, and training material. This creates a positive feedback loop that strengthens with each iteration of our SDLC.

Building a DAST Program

Vendor and tool selection are the first major steps in building a DAST program. Every business may have unique security scan requirements, so mileage may vary. We wanted a team working with us to ensure good scan coverage and meaningful results for our vendor selection. A new vendor involves training our product security team, setting up the initial configuration of new scans, auditing those scans for their health, and partnering with them to reduce false positive counts. In the past, we have worked with vendors that serve as the sole gatekeepers in determining the status of a vulnerability. High volumes of false positives are a reality regarding DAST scanning due to the complex nature and variety of modern applications. Our goal was a DAST vendor that would synergize with our Product Security team to whittle false positives and provide meaningful results.

At Cribl, we use Rapid7’s InsightAppSec. Operated by their Managed Application Security team in close collaboration with our Product Security team, Rapid7 has put in meticulous work to ensure optimal and meaningful security coverage. Rapid7’s MAS is a team of Application Security experts that augments Cribl’s ProdSec team on DAST. For our small Product Security team, as is the case for many organizations, having a managed service for our DAST tooling has been a cost-effective way to force-multiply our security power. We meet with Rapid7 at a regular cadence to drive the health of our DAST program. Their team assists us with configuring complex scans for all our environments, scheduling and running regular scans and triaging discovered vulnerabilities.

Scan coverage is the most crucial aspect of successful DAST scanning. Many scans pointed at an application with credentials will barely scratch the surface. This approach will exercise low-hanging functionality. Modern web applications are large and complex and heavily dependent on conditional states requiring robust scanning.

Our InsightAppSec instance has several configurations to optimize our scan coverage. For Cribl Cloud, we have worked with Rapid7 to record large traffic captures to exercise the bulk of our functionality with scan coverage. These traffic captures enumerate many of the dependent states for our application. The captures are fed into InsightAppSec, where every request is repeatedly replayed with all payloads. InsightAppSec will continue to spider and scan any straggling functionality to top off coverage. This configuration is repeated across many user accounts to ensure that all user privilege levels are scanned equally. Since our application heavily uses Role Based Access Control (RBAC), different functionality and interfaces exist depending on the roles of the active session. We have tailored scan configurations for each role to cover all functionality.

Additional web services like APIs require a slightly different scan configuration. Instead of recording traffic in a browser, we can capture traffic from Postman collections by running all requests in a collection. The requests are captured and fed into InsightAppSec, where the engine executes the scan. Security coverage through this approach covers all of our API surface areas, as Postman traffic collections and swagger files are used to ensure endpoint coverage.

Multiple scan configurations are essential for maximizing DAST coverage against complex web applications. As applications change over time, so will the need for scan configurations. This takes continuous work and is a proactive process. High-quality, healthy scans are far more than just point-and-shoot with a DAST scanner. Scanners such as InsightAppSec allow many scan configurations across all target applications from a single interface. As a cloud service, InsightAppSec offers a convenient location for all stages of a DAST scan, from configuration to scheduling regular or ad-hoc scans, triaging vulnerabilities, and pushing findings to our ticketing system. Our DAST program has been streamlined to ensure high-quality security coverage for our applications.

Using Cribl to Enhance DAST

At Cribl we extensively use our own products in creative ways to better other tooling. Cribl Search, our federated search-in-place tool to analyze data, is extremely useful in conjunction with DAST to discover and validate tricky, blind vulnerabilities. DAST scanners often rely on feedback from a target application to discover findings. This feedback can be in response status codes and data variations, timing differentiation, or other side channels such as out-of-band requests. Some indicators may only appear in application logs or system logs, which a DAST scanner typically would not have access to without an agent or other instrumentation.

Cribl can be used to collect these application and system logs, which can be stored in Cribl Lake. Cribl Search can also then be used to identify stacktraces, SQL errors, and other undesirable application behavior. Since many DAST scanner requests provide unique headers or tokens in their requests, search data can be refined further to narrow data primed by a scan. Cribl Searches and resulting notifications can be scheduled at a recurring cadence. As a result, Cribl can be a powerful tool for maximizing the value of DAST tooling.

Wrap Up

DAST scanning is an important tool in a Product Security team’s toolkit. A DAST program’s value can be realized through partnerships with developers, quality assurance, DevOps, and managed service providers. Significant testing coverage can be attained by leveraging the exhaustive effort engineering teams already put into functional application testing. Using DAST in combination with tools such as Cribl Lake and Cribl Search can enhance the ability to detect vulnerabilities hidden deep within log files. In the latest OWASP Top 10 (2021), Security Logging and Monitoring failures are number nine on the list. DAST can exercise and test controls such as this, but monitoring practices must be implemented in conjunction with scanning. Observability is essential when performing security testing, and Cribl’s tooling can help satisfy these controls and enhance detection capabilities through careful search queries.


 

Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.

We offer free training, certifications, and a free tier across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started and continue to build and evolve. We also offer a variety of hands-on Sandboxes for those interested in how companies globally leverage our products for their data challenges.

 

.
Blog
Feature Image

Cribl: Empowering Data Freedom with Open Standards and Unmatched Flexibility

Read More
.
Blog
Feature Image

Hello Vegas! Cribl @ AWS re:Invent 2024

Read More
.
Blog
Feature Image

Simplify OpenTelemetry Metrics with Cribl Edge OTLP Conversion

Read More
pattern

Try Your Own Cribl Sandbox

Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.

box

So you're rockin' Internet Explorer!

Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari

Got one of those handy?