[00:00:00] Dana Torgersen: Hi folks, welcome to another Let's Talk ASPM podcast. Dana Torreson and Mark Lambert here. We want to talk to you in a series of all the different technologies, all your scanner tools, when it comes to application security. AppSec, shifting left. From the right to the left, left to the right. In this episode, let's talk about what happens when you're on the far left all the way over to the left, Mark, tell our audience about these tools that are out there.
[00:00:28] Dana Torgersen: I imagine there's a bunch of different letters representing all the different acronyms of what SCA. SAST and so forth.
[00:00:37] Mark Lambert: Yeah. Yeah. And actually another way of thinking about this is it's from the code to the cloud, right? Because most applications these days are deployed in the cloud. So when you think about application security, don't lock yourself into just thinking about the code analysis scanners.
[00:00:49] Mark Lambert: And that's what we're going to focus on in this episode. But don't lock yourself in there. And, and actually before we even get to code analysis, let's just take a little step further left. And something that unfortunately not a [00:01:00] lot of organizations are doing, which is threat modeling. Kind of really understanding the design of your application, where your potential threats are, and I always view that as being a best done approach.
[00:01:09] Mark Lambert: Right at the beginning, before you even write the first line of code. But if we cannot stop thinking about the code analysis, that's where the first letsets of alphabet soup come into play. So usually the furthest left is SAST: Static Application Security Testing. Obviously being, it's been around for a little over 20 years now.
[00:01:27] Mark Lambert: You know, Fortify being kind of one of the founding or the, the You know, the initial companies going to market with that kind of technology in essence, starting as basic linters, looking for parsing issues in the parse tree, kind of like trying to find best practices that way. Now that has then evolved.
[00:01:42] Mark Lambert: So static application security testing now is much more than just basic linting. Commercial tools are looking at the code flow path, understanding contextual execution approach to the application. However, even with all of that, additional symbolic code analysis. They still are, have a higher noise making.
[00:01:59] Mark Lambert: [00:02:00] So the signal signal to noise ratio is much higher than other techniques. The further right that you get, the further right you typically get in the pipeline, the more accurate or less noisy the tools are. We'll talk about that as we go. So that context though, if we can actually start to use the code flow analysis, we get more accurate static analysis findings.
[00:02:17] Mark Lambert: But still, usually the volume is very high. I wouldn't really call them false positives, although some people would classify them as false positives. It's just that they lack the contextual awareness. Now, the thing about SAST, is SAST is focused on the code that you write. The code that's going into your application that you're writing.
[00:02:33] Mark Lambert: Now, of course, there is Other code in your application. Code that you didn't write. It's open source code, right? This is where the other three le well, not the other three letter acronym, but ANOTHER three letter acronym comes in. Software Composition Analysis. This, in essence, is saying the application that I'm writing What libraries am I using?
[00:02:52] Mark Lambert: And what vulnerabilities exist within those libraries? So this is where CVEs come in. You know, this is often when we're talking about software security, [00:03:00] we are very CVE centric, and we're looking at threat intelligence information to identify if something's actually exploited, so on. And we'll get into that when we talk a little bit more about CVEs in a little bit.
[00:03:09] Mark Lambert: Kind of like right orientated tools. SAST is finding weaknesses. There's not a vulnerability from a CVE perspective. It's finding a CWE, a weakness, that is a potential problem. Now when we look at software composition analysis, we're now finding a known problem. It's a library and it has a vulnerability.
[00:03:26] Mark Lambert: However, you might not be using the part of that library. That is vulnerable. So this is where reachability analysis is really important. So this is now really, in my mind, a table stakes for a software composition and analysis companies where they're analyzing how your application is using the third party to dependency to identify if you're actually using the part of that library or that code base that is actually vulnerable.
[00:03:51] Mark Lambert: So this again, reduces the noise through context. Now. Software composition analysis is a great bridge between the [00:04:00] code and the cloud. And we'll talk about that in, in a, in a subsequent podcast. I mean, another bridge there is infrastructure as code as well, as we're starting to build out the infrastructure with you know, Terraform scripts, for example, and we're doing the same kind of thing.
[00:04:14] Mark Lambert: We're analyzing those to see, okay, what. What hidden vulnerabilities are in there or what misconfigurations. But really, that's kind of like moving a little further, right? That there will be another acronym IAC. So the little a is infrastructure, capital I, little a as code, big C. So, but as I said, we'll talk about that.
[00:04:32] Mark Lambert: I think more when we start talking about the cloud part of code to cloud.
[00:04:35] Dana Torgersen: And that's coming up soon, folks. Remember to like, and subscribe to this podcast and you'll make sure you don't miss a single beat. Thanks again, Mark.
[00:04:42] Mark Lambert: Thanks Dana!
[00:04:43] Dana Torgersen: Appreciate it. Cheers.
