Security breaches are on the rise. However, many do not realize that most cyber security incidents, including the high-profile data breaches we all read about, can be traced back to an attacker exploiting a software vulnerability that was inadvertently put there when the code was developed. It is critical that businesses, whether they are building or buying software, take the necessary precautions to find vulnerabilities in software before the attackers do.

Vulnerabilities in applications can present themselves during the design and development of the application, as well as during upgrades and maintenance. With so many opportunities for threats, organizations need to take the proper steps to test their applications for any security holes throughout the entire software development lifecycle (SDLC). Despite the high risk of attacks, it is not uncommon for software teams to wait until the development process is complete before testing for weaknesses. This goes against industry best practices, which have proven that it actually costs a lot less, about 100 times less, to ‘build security in’ during the software development process than to fix the vulnerabilities after the software release.

What is Application Security Testing?

Application Security Testing (AST) tools and methodologies are becoming more widely adopted by software developers, Quality Assurance (QA) testers, and security analysts to identify holes in software applications. This does not only apply to software development companies; organizations often develop their own in-house applications, or even buy software solutions from third-party vendors. It is important, whether an organization builds or buys a software package, to ensure it does not contain any weaknesses that will make the data housed within the system vulnerable to exploits.

How to Do It

There are a lot of AST tools that can find thousands of weaknesses in an application. However, software developers, QA testers, and security analysts must understand that running only one application security testing tool, even the best on the market, misses most of the weaknesses in their code. There could be countless other flaws that the analysis tool is not seeing, some of which could be serious.

According to a study done by the National Security Agency’s Center for Assured Software, the average tool covers just eight of the 13 weakness classes such as buffer handling, file handling, initialization and shutdown, and number handling, which is 61.5 percent. This study also found that the average tool covers only 22 percent of the flaws in each of the 13 weakness classes.In other words, the total coverage for the average tool is only 14 percent. This is eye opening for many software developers, who have assumed that their vulnerability scanners cover a much larger area. Missing more than 80 percent of the weaknesses in the application’s code should not be acceptable for any organization.

Software developers, QA testers, and security analysts must understand that running only one application security testing tool often misses most of the weaknesses in their code

Managing Multiple Tools

Tools also perform differently on different languages and on different weakness classes. For instance, different static analyzers are better used for different purposes. Some are, by design, better than others at finding particular types of vulnerabilities. In other words, using two or more tools provides greater vulnerability coverage.

It also streamlines part of the process. Because each one specializes in different weakness classes and different languages, using multiple tools naturally eliminates much of the overlap between them. In addition, when there isoverlap, developers, testers, and security analysts can be more confident that the identified flaws are not false positives, and can focus on ensuring that those weaknesses are fixed.

Leveraging multiple tools does have its challenges, namely, the additional time required to set up and run the tools and compare the results. Comparing the results can be painstaking, as each tool produces a set of weaknesses with its own naming conventions and severity ratings. This is where software vulnerability management systems come into play. These systems show the results of each scan and identify the vulnerabilities that were found by each tool. They correlate and normalize the results to deliver a much smaller, consolidated set of vulnerabilities that are actionable, which eliminates the bulk of labor costs associated with application security programs.

Five Key Recommendations

Application security testing needs to be a core part of every organization’s information security strategy, whether it is developing its own software or purchasing applications from other sources. Remember the following five key aspects of a good AppSec program:

1. Variety -Adopt multipleAST techniques to make sure that you cover as much vulnerability as possible.
2. Manage -Use a software vulnerability management system to combine the strengths of your tools, and to correlate and normalize their results.
3. Focus -Don’t get overwhelmed. The thousands of weaknesses that will be identified can’t all be fixed, but not all of them have to be. Work through an initial subset.
4. Prioritize - Focus on the most important weaknesses first. Starting with the OWASP Top 10 can help you focus on the most critical vulnerabilities.
5. Integrate- Make sure the testing process is part of the SDLC workflow. It is much less expensive to address issues early rather than waiting until after a release is complete.