Posted by Jim Ivers on March 18, 2016
Originally posted on SecurityWeek
“…is part of this balanced breakfast…”
This is the claim of many sugary cereals aimed directly at children. It is also the claim of many vendors in the software security market.
Selling cereal targeting children is an interesting proposition. To make the adults that ultimately have to buy the cereal feel better, the cereal in question is shown as a component of a larger breakfast offering composed of milk, fruit, toast, and some form of juice, with the suggestion that the cereal is part of a “complete” or “balanced” breakfast.
The goal here is to mollify fears that the cereal your child is requesting is the equivalent of crushing cookies and placing them in a bowl. By portraying the cereal as part of a balanced breakfast, the vendor is hoping you buy the intimation the cereal is an equal player in creating a healthy balance. Of course, the reality is that the balance is due largely to the milk, fruit, bread, and juice – the cereal actually brings down the nutritional score of the other assembled parts. Read at face value, the vendor is saying that the cereal on its own does not represent a balanced breakfast.
I use this metaphor because many testing vendors sell you a tool—their tool—as your answer to software security. If you carefully analyze their words, what you will see is that their tool is the bowl of sugary cereal bringing down your nutrition value. Like cereal ads, vendors speak to benefits of the milk, fruits, breads, and juice, but it is not their tool that delivers those benefits.
The truth is that, aside from tools, there are many types of application security testing (AST) that can be used to determine the vulnerabilities in software. Static (SAST) and dynamic (DAST) testing are the most established and widely used, but there are others. An accepted truth is that different types of tests will find different things. Business logic testing adds human security expertise to the process, finding vulnerabilities that automated scans may miss. So real accuracy—the balanced breakfast—is found in a combination of tools and human expertise.
Get the latest AppSec news and trends sent directly to you.