Introducing Application Security Testing into your Development Environment

20131009-005933.jpgThe scale and complexity of attacks on websites and applications have significantly increased over the years. What started out as simple hacking attacks from private individuals have morphed into more complex and persistent threats of massive scale coming from large organizations and nation-states.

One of the main challenges faced by organizations today is how to ensure that their website and application assets are protected from these threats.

One method attackers use when targeting a website or application is to check for vulnerabilities to a particular attack or exploit. Once a vulnerability is detected, they just have to run the appropriate exploit attack for that vulnerability. Hacking tools are now relatively easy to obtain and download over the internet. In fact, you can now search for so-called hacking services providers and outsource all the grunt work to them.

So how do you protect your system from these kinds of attacks? For starters, you can adopt application security testing solutions into your IT security framework.

Application Security Testing – DAST or SAST?

There are two kinds of Application Security Testing (AST) tools available, Dynamic (DAST) and Static (SAST).

DAST applications test a website’s security posture by:

  • connecting to a site
  • crawling it
  • creating a map of all discovered web components
  • analyzing each component for vulnerabilities
  • generating a report of the security findings,
  • giving the appropriate mitigation steps for each detected anomaly.

Some of the more common vulnerabilities include SQL-injection and Cross Site Scripting vulnerabilities. A DAST tool is most commonly used on a live production or test web environment. A DAST tool is therefore a form of penetration testing tool.

SAST on the other hand is used by developers, analysts or security auditors to scan for application software vulnerabilities at the source code level. It can be a standalone application or can be an extension or plugin to an existing development or IDE tool such as Eclipse or Visual Studio.

Cost Considerations

Ideally, you should include security assessments early into your software development life cycle (SDLC) process. The further you are into your SDLC process at testing your application, the more expensive it is to mitigate the threat and plug up holes in your system.

It’s cheaper for you to fix errors in the QA or testing portion of your web system before you publish it to your production environment, but it’s cheaper still if you fix errors on the development phase prior to having it tested by your QA team.

Avoid PR Nightmares

What happens if your website is compromised? If an attack is successful and is made known publicly, then you will be faced with a huge PR nightmare. This usually leads to a loss of face, poor customer confidence levels, and ultimately, lost business. The money you have to spend on PR buildup and gaining back clients might be staggering.

IBM Security AppScan

A good example of an application security testing tool is the IBM Security AppScan solution suite. For their DAST solution, you can check out IBM Security AppScan Standard. On the SAST side, there’s IBM Security AppScan Source.


Gartner Magic Quadrant July 2013 – Application Security Testing


Regardless of what vendor or product you choose, the added security layer and good return on investment makes for a good business case if you want to include application security testing tools for your company’s security infrastructure.