Dynamic Application Security Testing (DAST) is a security testing technique that has been used by
major corporations and organizations to secure their GCP cloud infrastructure.
Dynamic means that the tests are performed in an automated manner, unlike other software testing techniques
such as static application security testing (SAST). With DAST, customers can identify vulnerabilities within an application before it is released to production or public-facing.
This blog post discusses common risks of Dynamic Application Security Testing, different approaches
for Dynamic Application Security Testing on GCP Cloud Infrastructure, and how hackers typically gain access to Google Cloud Platform.
Hackers often exploit unpatched vulnerabilities within operating systems such as in servers, applications running
on top of these operating systems (such as Apache Tomcat), software libraries installed along
with these applications/operating systems, network ports exposed through public IPs associated with
Virtual Machines (VMs) that are part of Google Compute Engine instances, APIs exposed by
Google Compute Engine instances to other VMs, etc.
Hackers could also use Dynamic Application Security Testing tools themselves to
attack GCP cloud infrastructure applications and servers within the organization.
Dynamic application security testing can be performed by customers who are part of Google’s partner network
(which is quite extensive) by using DAST Third Party Tools built specifically for Google Compute Engine;
or they may choose to build their own custom Dynamic Application Security Testing tool which would
require them to integrate with APIs exposed by various services available in Google Stackdriver suite,
Virtual Machines that run on top of TensorFlow framework powered backends, etc., before it
can start performing Dynamic Application Security Tests against web apps running atop VMs associated with virtual machines. The Dynamic Application Security Testing tool would also need to be configured with
different methods for performing Dynamic Application Security Tests on Google Compute Engine instances, such as via OpenSSH or Telnet.
Dynamic Application Security Testing tools are often used for identifying vulnerabilities
in web applications which means Dynamic Application Security Testing has many common risks attached to it. Some of these include false positives and negatives, increased load on servers, etc.
- False Positives: A false positive result or finding can occur when legitimate code triggers or
identifies vulnerabilities within web applications whereas a false negative occurs if known risky code passes through unnoticed due to inadequate coverage by existing Dynamic Application Security Testing tools.
- Increased Load on Servers: Dynamic testing means that the tests are performed in an automated manner. It’s not as intensive as a manual penetration test (which is quite expensive). However, DAST cannot be used on a small scale. Dynamic Application Security Testing tools need to be customized and tested before they’re released for production use in an organization which may present issues on the performance of applications being Dynamic Application Security Tested, especially among large organizations who have many users accessing their apps and web applications.
Dynamic Application Security Testing can be performed manually or automatically.
- Dynamic Application Security Testing Tools: Dynamic application security testing tools are capable of performing dynamic tests on web applications running atop virtual machines that run within Google Compute Engine instances, APIs exposed by GCP cloud infrastructure components to other apps and services (such as Cloud Storage bucket, etc.), software libraries installed along with the web app/operating system, network ports exposed through public IPs associated with VMs that are part of Google Compute Engine instances.
- Manual Dynamic Application Security Test vs Automated Dynamic Application Security Test: A manual DAST tool would require users to build their own framework which they could use for configuring rules for identifying vulnerabilities in web applications before it starts scanning them against Dynamic Application Security Testing rules.
The GCP Cloud has many advantages including ease of use, scalability, and reliability. But when it comes to GCP security testing, there are a number of risks that you should assess before adopting this cloud service. There is no one-size-fits-all approach for securing data in a public or private environment; instead, organizations need to decide which form of protection best suits their needs.