Application Security Testing¶
As part of the routine security screening of your application, with direction from government stakeholders, 2F collects artifacts stemming from Static Application Security Testing (SAST) of your application. Additionally, 2F conducts Dynamic Application Security Testing (DAST) on your application. As you seek to deploy to DoD networks, artifacts from these testing regimes are crucial components of the body of evidence provided to government accrediting officials that facilitate a rapid risk determination for your application. These artifacts are included in the Deployment Passport, which, additionally, contains a 2F SAST/ DAST assessment memorandum indicating “Meets/ Does Not Meet” OWASP Top 10 framework for both SAST and DAST.
SAST and DAST are required for all new and renewing Certificates to Field (CtF). Game Warden customers currently deployed under and existing CtF will be required to conform to the SAST/ DAST framework as they seek a new Deployment Passport or until their CtF expiration.
Static Application Security Testing (SAST)¶
SAST is a set of technologies designed to analyze application source code, byte code, and binaries, for coding and design conditions that are indicative of security vulnerabilities. SAST solutions analyze an application from the “inside out” in a nonrunning state.
Game Warden customers are responsible for conducting SAST. As you near deployment on Game Warden, 2F requires artifacts from a SAST conducted within the past 30 days of requesting application security review. Game Warden customers are, additionally, required to attest that the SAST report is for the code-base deploying to Game Warden. SAST artifacts and attestation are collected within the Game Warden application.
SAST Acceptable Baseline Criteria¶
2F employs a “Meets/ Does Not Meet” framework to determine SAST acceptance based on the the OWASP Top 10 Exploits. Any finding that yields a vulnerability under the OWASP Top 10 Exploits would yield a “Does Not Meet” and would need to be remediated.
There must be no findings that would indicate the application is susceptible to OWASP Top 10 Exploits:
- A01:2021-Broken Access Control
- A02:2021-Cryptographic Failures
- A03:2021-Injection
- A04:2021-Insecure Design
- A05:2021-Security Misconfiguration
- A06:2021-Vulnerable and Outdated Components
- A07:2021-Identification and Authentication Failures
- A08:2021-Software and Data Integrity Failures
- A09:2021-Security Logging and Monitoring Failures
- A10:2021-Server-Side Request Forgery
SAST Preferred Tools¶
A range of tools are available to conduct SAST:
- Sonarqube
- GitLab
- Synopsis (Black Duck)
- Coverity
- Snyk
SAST Artifact Formats¶
We strongly prefer SAST artifacts to be one of the following formats:
- JSON
- XML
Dynamic Application Security Testing (DAST)¶
DAST technologies are designed to detect conditions indicative of a security vulnerability in an application in its running state. Most DAST solutions test only the exposed HTTP and HTML interfaces of Web-enabled applications; however, some solutions are designed specifically for non-Web protocol and data malformation.
Conducting DAST scans is the responsibility of 2F. 2F will provide Game Warden customers results of DAST scans, and will identify findings that need remediation because the finding represents a vulnerability under the OWASP Top 10 Exploits. 2F conducts both un-authenticated and authenticated DAST scans using Tenable. Game Warden customers are responsible for remediating findings in accordance with below Acceptable Baseline Criteria timelines based on vulnerabilty severity. DAST artifacts are stored in the Game Warden application document store, and are included with the body of evidence submitted with the Deployment Passport. DAST scans are required:
- Prior to initial CtF
- Prior to deploying any code changes
- Prior to CtF Renewal
DAST Acceptable Baseline Criteria¶
DAST scanning provides a robust analysis of each application based on known exploits and vulnerabilities. 2F prioritizes findings in the the the OWASP Top 10 Exploits, which are categorized by severity and finding family. Findings must be addressed in accordance with below Acceptable Baseline Criteria timelines:
| Severity | Justification | Mitigation/Remediation |
|---|---|---|
| Critical | Pre-deployment | Pre-deployment |
| High | Pre-deployment | Pre-deployment |
| Medium | 10 days | 60 days |
| Low | 30 days | 180 days |
| Info | N/A | N/A |
Informational findings are for information purposes only, they will be provided to the customer but require no action.
OWASP Top 10 Exploits:
- A01:2021-Broken Access Control
- A02:2021-Cryptographic Failures
- A03:2021-Injection
- A04:2021-Insecure Design
- A05:2021-Security Misconfiguration
- A06:2021-Vulnerable and Outdated Components
- A07:2021-Identification and Authentication Failures
- A08:2021-Software and Data Integrity Failures
- A09:2021-Security Logging and Monitoring Failures
- A10:2021-Server-Side Request Forgery