Sadly, one can make the argument that if software vendors did a better job of integrating security testing throughout the development lifecycle, our current struggles with application security might be less challenging.
In fact, however, software vendors are late to the party. Their security testing tends to be tacked on to the end of development lifecycles as an afterthought, which may account for one recent study ’s startling conclusions that:
- 98% of applications carry at least one application security risk (and each risk may signal the presence of multiple vulnerabilities)
- 80% of applications showed more than five risks
- The average application registered 22.4 risks
Protecting your apps falls to you
The bottom line is unavoidable: protecting your apps falls to you. And if you want such protection to work, it should be as comprehensive as possible.
This means you’ll need to do more than merely react to security incidents and exploits. You’ll need to create a proactive software security posture. If you don’t develop your own apps, you’ll want a capability that focuses on dynamic application security testing (DAST).
Initially designed to analyze vulnerabilities in web-based server apps, “outside-in” DAST tools (also called penetration testing or “black boxes”) scan an app’s code in a working environment — i.e., when it’s “in motion” — to uncover vulnerabilities.
If you build apps, you’ll want to undertake “inside out” static scans (SAST) during your development cycle that analyze application source code, bytecode, and data flow.
And if you field web and mobile apps, you’ll want to combine these capabilities in an integrated application security testing (IAST) approach that combines DAST and SAST for better scanning.
Get your own “white hat” help
You can take on these scanning tasks yourself if you have the time and expertise. Or you can find an experienced application security services provider with scanning services that automate the activities of ethical (“white hat”) hacking and thus test your software and apps from a hacker’s point-of-view. These services should include the ability to:
- Crawl and index a site like a search engine
- Conduct a wide variety of testing that addresses known vulnerabilities, protocol, malformed packets, known framework issues, injection testing
- Perform additional discovery on a site (e.g., extraneous content)
- Parse out input fields for injection testing
- Find bugs efficiently and effectively
- Function as part of a comprehensive security plan that can also protect your networks, servers, and databases and that can be managed either from your service provider’s operations center or locally at your site
Learn more about our Application Development Services by Quest