Code & Data Security

Resource Center

How to Choose an Application Security Testing Solution

January 13, 2014

Tiny Url for this post: http://tinyurl.com/q3p6895

You face the process of selecting the right application security testing solution for your organization. Everybody agrees it should be part of the SDLC and ultimately used by developers, testers or DevOps. Maybe it’s the first time you are introducing application security into the SDLC, or you have tried before and now wish to improve, realizing there is a tool out there much better for your needs.

Based on years of experience consulting to organizations on how to build secure development programs, we have compiled a list of the most important factors to consider. This list is based on the processes we have gone through with our customers, and the lessons we learned together. Although the discussed issues are relevant to all organizations, the weight of each issue varies between individual organizations.

Accuracy

  • MINIMIZES FALSE NEGATIVES WHILE FINDING REAL AND RELEVANT VULNERABILITIES

    it’s pretty clear why false negatives are bad. Nobody wants to be that organization that invested a lot of time and effort in their SDLC program and got on the news for being hacked.

  • DOESN’T CRY ‘WOLF’, ELIMINATES FALSE POSITIVES

    we all know the story about the boy who cried wolf. There is so much to do (develop, test, deploy) and whatever time you have is so precious. Why waste it on trying to weed out false positives because an application security testing solution decided to cry wolf 10,000 times?

  • DELIVERS MAXIMAL CODE COVERAGE, NO EXCUSES

    ‘we were told to comb the desert so we’re combing it!’ – spaceballs. It’s not about combing the desert using a fine toothed comb, but it is about making sure that everything that needs to be covered – is indeed covered. Stones not left unturned, all moves exhausted, all decks cleared, you get the point …

  • WORKS QUICKLY, TO FIT AGILE AND/OR CONTINUOUS DEVELOPMENT

    because devs are deving, testers are testing, devops are devoping, continuous deployment is continuously deploying, and application security solutions should really just do their job, deliver top results and get out of the way real quick.

Clarity

  • PROVIDES CLEAR RESULTS – WHAT YOU SEE IS WHAT YOU NEED TO FIX

    you know that proverbial forest, the one you can’t see because of all the trees? It’s the same with application security testing. It should deliver clear, concise results, and these results should not obstruct the actual goal – delivering a secure application as quickly and efficiently as possible.

  • HELPS FORM A VULNERABILITY MANAGEMENT AND REMEDIATION PLAN

    because you should really ask not what you can do for your application security solution, know what your application security testing solution can do for you. It should help you secure your applications. It’s THAT simple.

  • ALLOWS DIFFERENT STAKEHOLDERS TO UNDERSTAND RESULTS AND ASSOCIATED RISK

    To each their own. That’s it.

  • ENABLES A LEARNING PROCESS FOR MORE SECURE CODE

    instead of giving your devs a fish to eat, you want to get an application security testing solution that will actually teach them to fish, and be quick about it.

Simplicity

  • DOESN’T REENGINEER THE WHEEL – FITS INTO EXISTING DEVELOPMENT AND TESTING PROCESSES

    these processes took a long time to plan and work smoothly, and anything that shifts them too much off course will most likely get tossed aside.

  • DOESN’T REQUIRE EXTENSIVE TRAINING

    you already hate those employee turnover numbers as they are, why add another item to the list?

  • EASY TO DEPLOY, CONFIGURE, MAINTAIN AND SCALE

    for the same abovementioned reasons of people needing to do their job, and not needing extra work to do

Business Goals

  • COMES WITHOUT HIDDEN COSTS

    because few things are more upsetting than buying a shiny new toy and then discovering you need an army of consultants just to understand how it works.

  • DOESN’T TAKE A LIFETIME TO DEPLOY

    because while you were reading this blog Facebook suffered around 12,500 attacks (see more). your web application does not necessarily have a huge bullseye its back like Facebook, but it still deserves to go live after it’s been properly secured, not sit out there on the web shaking and terrified because you’re still busy trying to deploy that application security tool you bought two years ago.

So to sum things up…

We have outlined several factors that are important to consider when choosing an application security testing solution for your SDLC. These factors fall into four major categories – Accuracy, Clarity, Simplicity and Business Goals. They are listed to allow each organization to consider individually the factors they consider as most important in their process.

We believe that the best application security testing solution is the one that answers these factors as best as possible. BTW, check out Seeker.

This post is also available in: French

Learn more about Seeker

More Blog