The key to gaining and sustaining competitive advantage in digital business will be in the development and continuous improvement of new IT-enabled capabilities and services for clients.
Applications are currently driving the digital business, as such, application security testing becomes one of the central methods to manage digital business risk. Applications will drive the digital business which means more apps and less time to test them. It is essential that frequent and continuous testing with multiple techniques throughout the Software Development Life Cycle (SDLC). The SDLC defines a framework and methodology for improving the quality of software and the overall development process.
As web application vulnerabilities are commonly among the most targeted and exploited, implementing a reliable and balanced security testing strategy is a must.
The selected application security testing strategy must include a variety of testing methods which should be leveraged at the different stages of development and prior to production.
Prior to the DevSecOps model, dynamic application security testing would be performed towards the end of the software development life cycle. While the testing was effective in discovering vulnerabilities in the running application, there was an increase in costs and delays in timelines to remediate vulnerabilities. In the DevSecOps model, the security testing phases occur at the beginning of the life cycle. This ensures that vulnerabilities are discovered as early as possible while helping to mitigate security risk and reduce costs to the application projects.
At the early stages of the SDLC, a primary testing method is static application security testing (SAST). SAST allows you to analyze the application code for vulnerabilities prior to code compilation. At this stage, remediating vulnerabilities is less expensive. A common drawback to SAST is the high number of false positive results that could be generated.
Once the code is compiled and the application is in a running state, the Dynamic Application Security Testing (DAST) method is normally employed. DAST will identify vulnerabilities in the running application by simulation web attacks. The benefit of the DAST testing method is that it helps to identify and confirm exploitable vulnerabilities and risk in the application.
Before the application is deployed into production, an application penetration test is recommended. The penetration test will include a blend of automated DAST testing techniques with a scanning tool and manual testing performed by a security professional. The manual testing helps detect business logic, design and other vulnerability classes, which can only be detected via manual testing. The aptitude and qualifications of the penetration tester is of most importance.
Given the speed at which applications are being developed and their dynamic delivery models, it is crucial to establish a security testing process as soon as possible. The cost to remediate late may be too high and failure to test early in the SDLC could introduce a massive security risk to your business. Make security testing an integral part of your security strategy, supported by your security policies and exercised diligently. The time to start is now.