It is no surprise that data breaches are on the rise.  With companies storing confidential customer data, proprietary corporate data, intellectual property, and much more on their computer systems, it is like a magnet drawing in hackers to corrupt, steal or delete the data.

Industries, such as healthcare, financial services, and retail have been particularly vulnerable.  Recently, incidents at Home Depot, Kmart, and Dairy Queen have made news headlines.  These data breaches have impacted millions of consumers and elevated the concerns of information security professionals.

In a September 2014 study by the Ponemon Institute (“Is Your Company Ready for a Big Data Breach?”), almost 75 percent of the responding organizations said that they have a data preparedness plan in place.  However, having a plan and actually implementing the right technologies and procedures necessary to protect your organization’s data is another thing.

Many organizations believe that having user names and passwords for authenticating users and encrypting data as it moves throughout cyber space is enough; however, most security problems result from weaknesses in applications, such as web and mobile apps.

Application Security Testing (AST) needs to be moved higher on the list of security strategies for organizations to implement.  And, this does not mean just software development companies, it also means organizations developing their own in-house applications, or even those buying software solutions from third-party vendors.  It is important whether you build or buy a software package to ensure it doesn’t contain any weaknesses that will make the data housed within the system vulnerable to exploits.

What is Application Security Testing (AST)?

Application security testing involves taking measures throughout the code’s life-cycle to prevent gaps in the design, development, deployment, upgrade, or maintenance of an application.  With so many opportunities for threats, organizations need to take the proper steps to test their applications for any security holes throughout the entire software development lifecycle.

Most cyber security incidents can be traced back to a software vulnerability that was inadvertently put there when the code was developed.  Web application attacks were the top IT security threat in 2013 according to Verizon’s 2014 Data Breach Investigations Report.  Of the 1,367 confirmed data breaches covered in the report, 35 percent were caused by web application attacks.

Despite the high risk of attacks, it is not uncommon for software developers to wait until the development process is complete before testing for weaknesses.  This goes against industry best practices which have shown that it actually costs a lot less to build security in during the software development process than to fix the vulnerabilities later in the lifecycle.

Different Application Security Testing Methods

There are a variety of different application security testing methods that should be considered by application developers and security professionals, including:

  • Manual Testing – analyzing the code line by line. This can be a very cumbersome process.
  • Static Application Security Testing (SAST) – Also known as white box testing tools, SAST tools analyze the application source, byte or binary code for weaknesses during the programming or testing phases of the software lifecycle.
  • Dynamic Application Security Testing (DAST) – Considered black box testing tools, DAST technology analyzes applications in real-time while the application is running.
  • Interactive Application Security Testing (IAST) – This method combines the strengths of SAST and DAST and performs a behavioral assessment of the application.

Sadly, there is no single method that will find all the vulnerabilities in an application.  Each type of testing tool has its own specialties and finds unique weaknesses with some overlap.  Additionally, the tools are not all coordinated.  Each tool generates reports of vulnerabilities using their own naming conventions and severity ratings making it extremely difficult to integrate and compare the potential security threats uncovered by multiple tools.

A best practice for secure coding is to run multiple application testing tools against a code base and combining the results to maximize vulnerability coverage throughout the entire software development process.

Use Application Security Testing to Minimize the Risk

Don’t put your enterprise at risk.  Application security testing needs to be a core part of your information security strategy.  By leveraging multiple testing tools, including both commercial and open-source solutions, to discover potential high-severity vulnerabilities, you will be in a better position to protect your organization’s information assets.