According to a recent Forrester report, the application security market will exceed $7 billion by 2023, with security scanning tools leading. Clearly, organizations increasingly understand that securing their application layer is important, and they are prepared to invest substantial resources in protecting it.
What Are Organizations’ Needs from AST Tools?
The growing number, complexity, and variety of application types that organizations are using demands comprehensive testing solutions. With teams moving from traditional web applications to modern applications leveraging client‑side software and micro‑services architecture, innovative testing capabilities are needed.
A highly secure software development life cycle (SDLC) and an effective DevSecOps practice have become critical objectives for engineering and security teams. The application security testing (AST) market is full of solutions, each promising software development organizations the best testing tools to help them address the threats to their applications’ security. However, as the security threat landscape continues to evolve, choosing the best AppSec testing tools is just the first challenge. Organizations also need to figure out how to best orchestrate the AST tools they are using in order to get the most out of them without losing valuable time.
Cybersecurity Insiders’ Application Security Report revealed when cybersecurity professionals were asked what the most important criteria were when selecting an application security tool or service, 54% listed ease of integration as most important, followed closely by pricing/licensing (53%), scalability (44%), accuracy (40%), and ease of use (39%).
From: Security Insiders 2018 Application Security Report
The Value Trade-Off in Today’s AST Tools
Gartner distinguishes between three main styles of AST: Static AST (SAST), Dynamic AST (DAST), and Interactive AST (IAST). Unfortunately, no one tool can cover all of the criteria that the experts in Cybersecurity Insiders’ report listed, which means that organizations have to compromise on some kind of value trade-off.
For example, SAST solutions can provide complete code coverage, promising organizations full visibility over their code base. Unfortunately they also weigh security experts down with a high number of false positives, requiring them to spend valuable time sorting through long lists of vulnerabilities to sort the real vulnerabilities from the noise. This also slows down the development process, since development teams are then sent back to fix security vulnerabilities, often late in the game when remediation is more expensive.
After the time-consuming task of eliminating false positives is finished, security experts need to prioritize the security issues, addressing the critical ones first. Prioritization needs to be calculated by security experts and should be based on the likelihood of a vulnerability being exploited, along with additional severity scoring methods.
On the other hand, while DAST and IAST tools detect the vulnerabilities that can actually be exploited at runtime and threaten an organization’s security, they don’t provide full coverage or full code visibility.
Another issue that organizations have realized they need to address is open source vulnerabilities. While SAST, DAST, and IAST promise to test applications for vulnerabilities in their proprietary code, they don’t cover open source components, which today comprise 60%-80% of software products. Open source security vulnerabilities require a separate set of tools and processes that organizations have to integrate into their SDLC.
Usually, organizations will use as many as five different tools to cover all aspects of application security testing. However, while this helps to ensure relative coverage, orchestrating results also makes the process heavy, slow, and costly, and requires security experts.
As the AST process becomes more complex, vulnerability management tools, which aim at solving this problem, are evolving in the AST space. Vulnerability management tools offer an overlaying solution on top of all of the dynamic and static testing tools. These solutions consolidate alerts from multiple sources, correlate and duplicate findings, and export information to help users streamline their vulnerability management workflow. Though vulnerability management tools can add value to security defect remediation efforts, they typically require additional integration efforts.
At the end of the day, a combination of today’s legacy AST tools (mainly the SAST ones) provide development teams with a nearly endless list of vulnerabilities and a limited capability to prioritize their remediation, not to mention any other actionable remediation insights or advice.
Closing the Gap from Vulnerability Detection to Remediation
In order to implement a comprehensive and efficient application security testing strategy, organizations need tools that take them beyond vulnerabilities’ detection. They should help them to prioritize the most urgent vulnerabilities and provide real-time remediation support.
One major aspect here is that the developer trusts the code advice received as part of these solutions. This means having confidence in the quality of this advice and how it integrates into their working IDE environment. In addition, vulnerabilities prevention should also be added to the application security testing process to help developers avoid vulnerabilities before they are added to their projects. We need to start thinking out of the box to find ways to prevent vulnerabilities beyond the existing developer training tools offered today.
Lacking prioritization and remediation, developers often find themselves spending up to as many as 12-36 hours a month addressing vulnerability fixes. When it comes to application security testing, it appears that most tools are missing the mark. The goal should be efficient and timely remediation of vulnerabilities rather than just detection. Currently, using a combination of AST tools that provides development teams with never-ending lists of alerts, they are still missing the tools to achieve their end goal, which is remediation.
All of these advanced AST features — prevention, prioritization, and remediation, in addition to detection — should be implemented as part of a DevSecOps approach. AST tools should integrate automated testing into more phases of the development life cycle, as far left and right as possible.
The Future of Application Security Testing: Covering All of Your Assets
Organizations today need to ensure that the application security testing tools they are using are providing them with complete visibility and control of coverage for both proprietary and open source vulnerabilities, throughout the development life cycle.
But that’s not all. AST tools need to go beyond alerting teams about vulnerabilities. They need to enable them to swiftly address security vulnerabilities, remediating them without slowing down development.
As the AST space evolves, organizations will be able to implement a DevSecOps approach to application security that covers security vulnerabilities’ prevention, detection, prioritization, and remediation automatically, throughout the SDLC.