Preparing for the Next Wave in Application Security Testing Begins With Standardization
Ride the next wave of innovation coming to application security testing — standardization.
Join the DZone community and get the full member experience.Join For Free
With very few exceptions, virtually every business on this planet relies on software applications to do what they do. Again, with very few exceptions, virtually every human on this planet relies on software applications to interact with systems, businesses, and individuals on a daily basis. Without applications, our world would come to an abrupt stop and life would be very different for most of us.
For this reason alone, businesses of all sizes are investing in establishing application security testing programs as a routine part of their software development lifecycle, and as part of the effort to protect proprietary and customer data.
Building an application security testing program can be daunting. The market offers many choices of products and platforms for SAST, DAST, IAST, and MAST (If you don’t know what those terms mean, you should stop reading and look that up right now.) Today’s tools are all similar in terms of the programming languages they support, the approach they take, how results are reported, and the type of insight developers and security professionals can infer from those results.
Despite their similarities, not all application security products are created equal. Rankings of application security testing products abound thanks to research firms such as Gartner, Forrester, and others. Having so many products to choose from has driven many companies to try to build their application security testing programs as a best-of-breed collection of tools.
This approach may seem economical in the short term as some of the niche tools out there are indeed quite affordable. In the long term, though, the best-of-breed approach tends to turn into a hodgepodge of isolated tools, each of which provides its own results, it's own reporting, and its own insights (at various levels of usability), with no visibility beyond its own domain.
If you have a stake in reporting your company’s application security posture, and all you have is a bunch of tools giving you isolated reports with no correlation among them, you have a problem.
Application security testing tools are getting smarter. My colleagues Florin Coada and Neil Jones wrote about this not long ago. The new wave in application security testing brings AI, automation, collaboration, and other innovations, but there’s one thing that you’re not going to get: interoperability across tools from different vendors. In other words, your fragmented portfolio may end up with smarter silos but it will still be fragmented nonetheless.
A siloed application security program is manageable in the short term. Keep in mind that as your application portfolio grows, having siloed sources of information will only create more uncertainty, more lapses in security coverage, and more manual labor for verifying the information received. This is where standardization can help,
Standardization is a strategic approach to application security testing whereby a company procures all its application security needs from a single toolset whenever possible. Standardizing on a single platform for SAST, DAST, IAST, MAST, and open-source testing gives developers and security professionals a holistic, unified view of the company’s application security program. Moreover, if the platform itself is capable of aggregating information from the various test methodologies and applying analytics or — better yet: machine learning to separate insight from noise — you can get that risk-based posture for the entire application security testing program.
A standardized application security testing environment is the ideal foundation for riding the next wave of innovation coming to application security testing. What you get from standardization is built-in interoperability, which you don’t get with a best-of-breed approach. Additionally, you get the risk-based scoring and the unified view across your entire application security program you can communicate to your upper management in terms that will give them peace of mind.
Opinions expressed by DZone contributors are their own.