How to Choose the Right Application Security Testing Approach

And the reason why this is so critical, and why organizations like yours are investing is just because web apps are a critical part of the customer engagement process. Customers interact very quickly. Your applications have to be released very quickly.

So as a result of adopting a CICD model for this fast paced change into production, or pushing things into production, security just can't keep up. As a matter of fact, DHS says 90% of incidents result from an exploit based on software defects. So adapting tools that can integrate within your CICD process can be very, very challenging since there's so many out there. We do you start?

As a matter of fact, choosing multiple, up to eight different components of your application security is very common in a mature application security program. But if you're just starting out, what are you going to invest in? Well the US [inaudible 00:01:41] actually has four foundational solutions that you can start with, depending on what your priorities are. The first one is Sass, which is essentially a white box application security testing tool that tests what you know. Your code, your source.

DAST, which is a black box capability, is essentially testing things that you don't know anything about. You have no visibility into the source code, you can't access it. Software composition analysis actually tests third party or open sourcing code. And then finally database scanning, which essentially checks for patches and weak passwords and so forth.

Now, there is one other that didn't make the foundational list, and that's IAS. And the reason why that's probably a little bit more complex is because the industry has not found common ground on how to define the I in IAS, and what exactly it does.

Stay tuned for another Whiteboard Wednesday on that. At the end of the day, if you could only choose one because you're just starting your application security program and you don't have a lot of budget, send the pen testing for post production and your compliance requirements. And understand what's in the market based on your prioritization to mitigate risk, and spend wisely. That's it for this week's Whiteboard Wednesday, we'll see you next week.