I am on the blue team and I need to assess the risk of our apps

I am on the blue team and I need to assess the risk of our apps. What methods/tools are available? Is Mayhem a good fit here?

Thanks,
Jon

At ForAllSecure, we like to think about application security in a paradigm we call the “Four Corners of Application Security”:

  • Static Analysis Tools - (e.g., Coverity, Fortify). These tools try to determine your code is safe by examining the code. The benefit here is that you can usually drop your code into the tool and get an answer, but they suffer from false positives however, so they will always require a human-in-the-loop to validate.

  • Software Composition - (e.g., SourceClear, SonaType). These tools look at your thirdparty dependencies for known vulnerabilities. The benefit to these tools is that they can often point out vulnerabilities for which there is often an easy fix: upgrade the version of the dependency. The downside though is that they don’t take into account how your app uses the dependency. For example, you might depend on a vulnerable library, but the vulnerability is mitigated by the way your app is built or configured.

  • Scanning Tools - (e.g., Nessus, Metasploit). These tools can check your application for known vulnerabilities. The benefit here is that you can determine if your applications have known vulnerabilities. The downside though is that not all vulnerabilities are known, you would miss the unknowns.

  • AI Fuzzing - (e.g., Mayhem). AI fuzzers like Mayhem execute your application and observe the behavior with different inputs to determine if your code has an unknown vulnerability. Once you start fuzzing, the process is automated and you’ll get a proof-of-vulnerability that you can use to reproduce the issue. The downside (if you can call it that), is that you have to ingest your application into a fuzzing framework. This can be a considerable effort, but it is well worth it because you only have to prepare each fuzzing target once and then you’ll get autonomous appsec in return!

The important thing to note here is that each of these tools does provide something, but as a blue team member, you should really consider fuzzing as your go-to because it provides you with a proof-of-vulnerability that allows you to debug and pass to your developers for remediation.