Whiteboard Wednesday:

How to Choose the Right Application Security Testing Approach

December 12, 2018

In this week’s Whiteboard Wednesday, Coreen Wilson, Product Marketing Manager for Application Security, gives an overview of the CI/CD process and how web application security can fit in. Learn about the four foundational Application Security Testing (AST) approaches—static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA), and database security scanning—and understand which strategy is best suited for your organization (and your bottom line).

Video Transcript

Hello, and welcome to another thrilling episode of Rapid7's Whiteboard Wednesday. My name is Coreen Wilson and I'm the product marketing manager for application security, something that's on your mind. You want to know how I know that? It's because I recently read a report that Forrester released saying that application security spending is gonna reach in excess of $7 billion by 2023. Four years from now, the community is gonna be spending $7 billion to secure their web applications.

Show more Show less

And the reason why this is so critical, and why organizations like yours are investing is just because web apps are a critical part of the customer engagement process. Customers interact very quickly. Your applications have to be released very quickly.

So as a result of adopting a CICD model for this fast paced change into production, or pushing things into production, security just can't keep up. As a matter of fact, DHS says 90% of incidents result from an exploit based on software defects. So adapting tools that can integrate within your CICD process can be very, very challenging since there's so many out there. We do you start?

As a matter of fact, choosing multiple, up to eight different components of your application security is very common in a mature application security program. But if you're just starting out, what are you going to invest in? Well the US [inaudible 00:01:41] actually has four foundational solutions that you can start with, depending on what your priorities are. The first one is Sass, which is essentially a white box application security testing tool that tests what you know. Your code, your source.

DAST, which is a black box capability, is essentially testing things that you don't know anything about. You have no visibility into the source code, you can't access it. Software composition analysis actually tests third party or open sourcing code. And then finally database scanning, which essentially checks for patches and weak passwords and so forth.

Now, there is one other that didn't make the foundational list, and that's IAS. And the reason why that's probably a little bit more complex is because the industry has not found common ground on how to define the I in IAS, and what exactly it does.

Stay tuned for another Whiteboard Wednesday on that. At the end of the day, if you could only choose one because you're just starting your application security program and you don't have a lot of budget, send the pen testing for post production and your compliance requirements. And understand what's in the market based on your prioritization to mitigate risk, and spend wisely. That's it for this week's Whiteboard Wednesday, we'll see you next week.

Explore InsightAppSec

See how Rapid7 InsightAppsec can help you secure your modern web apps quickly and easily.

Get Started

Shifting Left: A Step-by-Step Guide to Embracing the DevSecOps Mentality

With this whitepaper, learn how you can develop a DevSecOps mentality and collaborate with development for more secure apps.

Read More