Application testing is just the first step in your security journey

Within a software security initiative (SSI), security testing of applications should be a top priority so that applications can be resilient to attacks. Secure applications provide more solidified protection of sensitive data and private information in case the environment fails to protect the application of data. Thus, application security testing is one of the most important domains of software security.  

An effective SSI requires application security. But that’s not the only element that matters; it’s just the beginning.  A truly thorough SSI requires a broader, more holistic and strategic approach that an organization needs to take to protect their assets and reputation. Small changes made to the process and the implementation of safeguards can improve security every step of the way. While not every activity is right for every organization in every industry, if a business is not starting to put security measures in place, it is subjecting itself to risks from the unknown.

To improve software security posture, a business needs to perform certain activities that may involve upgrading the current software development process with practices that infuse security and privacy policies.

What is application security testing?

Applications refer to:

• Applications developed in-house
• Vendor developed and hosted applications
• Applications procured
• Open source libraries used

Application security testing validates if it is resilient against any abuse, fails safe and proves secure. It also checks privacy related issues. This can be broadly classified as security functionality testing and security testing:

• Testing of security functionality is assurance of the implementation of security controls like authentication, authorization, error handling, etc.
• Security testing is testing of application behavior to a user with an attacker’s mentality. Since integrity of data and the system is a measure of reliability, security testing also indirectly validates reliability of the software. Testing of error and exception handling are measures of software recoverability.

Why is application security testing important?

Today’s applications do not work in silo categorization and are accessible globally via the internet. Businesses build applications to run on hosts and networks; they are dependent on third-party vendors regarding the application environment set-up. They don’t create another operating system, server hardware or network appliances to run the applications. At the most, businesses can harden those systems.

The same dependency applies to third-party software acquired by a company. If these systems are vulnerable, applications developed are vulnerable too. But a secure development process of applications is under the control of an organization and that’s where they can start measuring and making necessary changes. Bugs in the application and flaws in the design of the application make the whole application insecure. It can only be detected by application security testing.

What are the various security testing activities?

Activities towards continuous improvement of application security include:

• The use of an external penetration tester to detect issues
• Test results being fed back to the development system through defect management and mitigation channels
• The creation of internal penetration testing capabilities, and the use of tools, to improve efficiency and repeatability of the testing process
• The use of automated tools followed by manual review
• Quality Assurance (QA) teams providing basic adversarial tests and probing simple edge cases and boundary conditions
• Tests conducted that align with declarative security mechanisms derived from requirements and security features (e.g. privilege escalation)

We now know it’s important, but why is application testing a top priority?

It is important to analyze an organization’s position in terms of security when considering measures to improve security posture.  A thorough analysis involving secure code review, architecture risk analysis, and penetration testing can provide necessary information. Based on these findings, areas of improvement can be identified and activities to be performed can be formulated. This creates the foundation for a security roadmap and a SSI starting-point for the business.

What are some of the other steps in the security journey?

Other important activities may include:

• Review of security features
• Automated and manual code review
• Architecture analysis
• List of top bugs and flaws to be eliminated and use these to drive change
• Risk questionnaire to rank applications
• Design review for high-risk applications
• Threat models for applications
• Operational management by patching and updating the application, implementing proper version control and incident handling
• Centralized reporting for issue tracking, remediation steps taken as the knowledge base and drive training to developers
• Changes in policies, standards, procedures and guidelines that enforce and guide secure activities throughout organization

How does application security provide the foundation?

Improvement in any process requires an understanding and analysis of where that process is today, and based on that information, one can formulate next steps to be taken. That is the role played by application testing in an organization’s security journey; it analyzes threats and risks of applications. This is the foundation needed to prioritize other activities in preparation for remediation to be performed. A highly matured organization may require different activities than an organization that has just started its security journey.

The security journey

Software security involves the holistic approach an organization can take to improve security posture, safeguarding assets and privacy of non-public information. The activities discussed today were inspired by the Building Security In Maturity Model (BSIMM). These  highlighted activities are commonly observed and performed by real companies.

Learn how to get involved in the BSIMM.