With so many application security tools, how do you choose the best ones for your environment? Learn how to assemble your application security toolkit.
If you’re in the market for an application security solution, you can get a sense of the mind-boggling array of available solutions by searching for “application security testing.” The wide variety of approaches (SAST, DAST, IAST, RASP, pen testing, fuzz testing, etc.) and vendors is enough to freeze anybody in their tracks. When you’re building an application security toolkit, what tools do you really need?
Application vulnerabilities are the No. 1 cyber attack target, but how do you know you’re using the right tools to secure them?
You can’t afford to put your head in the sand and hope that the network security measures your customers or internal operations teams use will shelter your applications from attack. Hackers know that application vulnerabilities are like an unlocked back door. They can gain access to sensitive systems and data simply by exploiting flaws in application design or implementation. In fact, Tim Clark at SAP noted that applications are the target of over 80% of cyber attacks.
Enter application security tools. These solutions help development teams locate and fix vulnerabilities before applications go into production. Most of these solutions fall into one of two categories:
Different solutions apply different technologies, levels of automation, or optimization for specific types of apps. But in general, these variations simply improve the tools’ ability to perform one of these two testing functions. Some newer approaches, such as runtime application security protection (RASP), attempt to bake security defenses directly into the application itself. But these are not yet widely used.
Many teams make the mistake of picking a static or dynamic analysis tool and then stopping there. They know they need some kind of AppSec tool, so they pick one they like. But then they assume they’ve checked the AppSec box and can move on. Unfortunately, what they find is that their one-tool plan fails to detect a lot of vulnerabilities.
This is especially true when it comes to open source. Off-the-shelf static and dynamic testing tools are ineffective at finding vulnerabilities in open source components. They typically find only a handful of the thousands of open source vulnerabilities recorded in the National Vulnerability Database (NVD).
AppSec cannot be a checkbox activity. You can’t just grab a tool and head for the nearest exit. Instead, take a step back and consider your environment. Look at the types of applications your team builds and how they build them. Then use that information to make an informed selection.
It’s a trick question. No single tool or approach will fully cover the range of vulnerabilities present in most applications. To do the job right, you must assemble a multitool toolkit tailored to your applications and development processes.
To help you get started, we’ve put together an Enterprise Application Security Buying Guide. In it you’ll find descriptions of application security testing tools and services for each stage of your software development life cycle. Use this information plus knowledge about your environment to determine which tools you need in your application security toolkit. Then, as you build it out, you can establish a framework for evaluating specific vendor offerings.
This post was originally published on Jan. 17, 2017, and refreshed on May 29, 2019.