Glass Box: The Next Phase of Web Application Security Testing?
IBM's latest AppScan release combines static and dynamic testing methods.
For years, security researchers have used the terms "black box" and "white box" to describe dynamic and static web application security analysis, respectively. IBM is now seeking to combine the best of both approaches by introducing a new approach called "Glass Box."
"We use the terms 'black box' and 'dynamic analysis' interchangeably, and basically that's looking at a functioning application in a web browser and evaluating its state to identify potential vulnerabilities," Patrick Vandenberg, program director for IBM Security, told InternetNews.com. "'Static analysis' we use interchangeably with white box testing and that's looking at source code before it is compiled to root out potential vulnerabilities."
With its latest release of AppScan standard edition 8.5, IBM is now taking that capability one step further by introducing the new Glass Box approach. With Glass Box, AppScan installs agents on a server to instrument the code, while also applying dynamic analysis techniques.
"In so doing we're getting the real-world validation that you get from black box testing as well as getting inside the box, and that delivers phenomenal improvements in accuracy," Vandenberg said.
When it comes to root cause analysis using Glass Box, Vandenberg noted that users are limited in what they can see from an instrumentation perspective. That said, Vandenberg added that the system is able to provide coverage for all the vulnerabilities that a user would be able to find from a static analysis perspective within the context of a web application.
Full static analysis is still required for non-web applications as well as from a process perspective.
"Really the root cause is sitting in development where all these vulnerabilities are first introduced to the code," Vandenberg said. "You want to find those flaws as early as you can."
IBM also has production software capabilities with its Tivoli software division that could benefit from the enhanced security analysis that Glass Box can provide.
"We can push the vulnerability data there so that policies can be tuned and pushed out to all the devices that are being managed," Vandenberg said.
Same concept, different name?
While IBM is pitching Glass Box testing as a new innovation, rival HP sees it somewhat differently.
"The application testing described by IBM as Glass Box is actually something we’ve been doing for several years now, although we don’t call it Glass Box," Jason Schmitt, Director of Product Management for HP Fortify, told InternetNews.com.
HP acquired security testing vendor Fortify in 2010 with a goal of helping to meld static and dynamic analysis techniques. In July 2011, HP announced the release of HP WebInspect Real-Time, which Schmitt noted is a dynamic application security testing solution that observes running application code in real time during testing, to more accurately find vulnerabilities.
"This solution is based on the premise of using runtime security analysis of an application in conjunction with dynamic security analysis to improve application attack surface coverage," Schmitt said.
He added that in so doing, the system is able to more accurately validate discovery of exploitable vulnerabilities as well as provide line-of-code detail to locate the vulnerability.
Overall, the best approach to handling application security analysis is to implement multiple approaches through the software development and deployment lifecycles. Schmitt noted that HP advocates taking a comprehensive, systemic approach to eliminating the risk of insecure software, which they call software security assurance. "This involves identifying and eliminating risk in existing applications and preventing the introduction of risk during application development," Schmitt said.