Do you have the right tools in your application security toolkit?
By Patrick Carey, Director of Product Management
With so many application security tools, how do you choose the best ones for your environment? Learn how to assemble your application security toolkit.
If you're in the market for an application security solution, you can get a sense of the mind-boggling array of available solutions by searching for "application security testing." The wide variety of approaches (SAST, DAST, IAST, RASP, pen testing, fuzz testing, etc.) and vendors is enough to freeze anybody in their tracks. When you're building an application security toolkit, what tools do you really need?
Am I using the right tools to secure my apps?
Application vulnerabilities are the No. 1 cyber attack target, but how do you know you're using the right tools to secure them?
You can't afford to put your head in the sand and hope that the network security measures your customers or internal operations teams use will shelter your applications from attack. Hackers know that application vulnerabilities are like an unlocked back door. They can gain access to sensitive systems and data simply by exploiting flaws in application design or implementation. In fact, Tim Clark at SAP noted that applications are the target of over 80% of cyber attacks.
How do static and dynamic analysis tools work?
Enter application security tools. These solutions help development teams locate and fix vulnerabilities before applications go into production. Most of these solutions fall into one of two categories:
- Static analysis works by examining the source or binary application code to detect vulnerable coding patterns.
- Dynamic analysis works by testing a running application to detect vulnerable behavior.
Different solutions apply different technologies, levels of automation, or optimization for specific types of apps. But in general, these variations simply improve the tools' ability to perform one of these two testing functions. Some newer approaches, such as runtime application security protection (RASP), attempt to bake security defenses directly into the application itself. But these are not yet widely used.
Do I need more than a static or dynamic analysis solution?
Many teams make the mistake of picking a static or dynamic analysis tool and then stopping there. They know they need some kind of AppSec tool, so they pick one they like. But then they assume they've checked the AppSec box and can move on. Unfortunately, what they find is that their one-tool plan fails to detect a lot of vulnerabilities.
This is especially true when it comes to open source. Off-the-shelf static and dynamic testing tools are ineffective at finding vulnerabilities in open source components. They typically find only a handful of the thousands of open source vulnerabilities recorded in the National Vulnerability Database (NVD).
Which application security tools should I use?
AppSec cannot be a checkbox activity. You can't just grab a tool and head for the nearest exit. Instead, take a step back and consider your environment. Look at the types of applications your team builds and how they build them. Then use that information to make an informed selection.
- Are you building apps that require specialty testing tools (e.g., certain types of mobile or embedded apps)?
- How are your applications deployed? Internal network? Customer network? Cloud? Containers? SaaS?
- What programming languages or components do you use? Do open source components make up a significant portion of the codebase?
- How long do applications or versions remain in use? What type of ongoing vulnerability protections do you need?
- How is your development process structured? Do you have distinct testing phases? Or do you integrate testing into a build automation and continuous integration platform?
What do I need in my application security toolkit?
It's a trick question. No single tool or approach will fully cover the range of vulnerabilities present in most applications. To do the job right, you must assemble a multitool toolkit tailored to your applications and development processes.
To help you get started, we've put together an Enterprise Application Security Buying Guide. In it you'll find descriptions of application security testing tools and services for each stage of your software development life cycle. Use this information plus knowledge about your environment to determine which tools you need in your application security toolkit. Then, as you build it out, you can establish a framework for evaluating specific vendor offerings.