What’s the initial recommendation for building a strong application security program?
Use Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) in tandem.
Why is using SAST + DAST impactful for security effectiveness?
Certain code vulnerabilities take a shorter amount of time to fix and are easier to remediate during development, when static testing (SAST) is best employed. Other errors show up only in dynamic testing (DAST) of applications once in production. However certain vulnerabilities such as SQL injection and Cross-Site Scripting are likely to be found by both testing regimens – these are the errors most critical to address. Every vulnerability fixed during development will improve the security posture of the production application. That said, SAST errors are still taking an average of 113 days to remediate, which is not nearly fast enough.
What are the reaping benefits for organizations to take a risk-based approach when remediating application security flaws?
Remediation priorities need to be set based on the criticality of the software errors found. Vulnerability ratings depend on many factors, and an error that is considered critical by one organization may be considered medium-risk by another. Software developers need more education by security teams to understand the risk levels of different vulnerability types. Remediation is too often being prioritized by path of least resistance (i.e. the easiest ones are the first to be fixed). Most organizations still need to adopt risk-based remediation processes.
Should Application Security testing methods also be integrated with the SDLC?
Yes, all organizations must implement application security procedures earlier in their SDLC. It has been proven faster and less costly to catch and fix flaws earlier rather than later. Routine security testing in development makes resulting production applications stronger. Organizations that integrate multiple kinds of testing regimens (e.g. DAST, SAST, mobile, etc.) directly with their SDLC see the best results. Today’s application security platforms extend visibility and control even further with Software Composition Analysis, API testing, training and other services.
Will adopting DevSecOps for Application Security provide a competitive advantage?
Organizations adopting DevOps practices must extend them to application security practices as well. The time is now. Many enterprises are starting to make DevSecOps real. Real-world examples exist of working DevSecOps programs that prove its advantages. Positive collaboration, not punitive, between the security team and application developers is the best approach to achieve an application security Center of Excellence.