Application Security Terminology


Svg Vector Icons : Return to Glossary

Application Security Testing

WhiteHat Security Named a Leader in the Gartner Magic Quadrant for Application Security Testing


What is application security testing?

Application Security testing is the process of scanning and testing applications to identify and prevent security vulnerabilities in web applications, mobile apps, or APIs.

Application security testing is performed continuously throughout the development and production phases of the software development lifecycle helping bridge the gap between development, operations and security.

Key benefits of application security testing:

  • Discover and identify exploitable vulnerabilities in your web and mobile applications through continuous testing, assessments and risk management
  • Overcome skill shortages and skills gaps in security programs with an automated and scalable platform integrated into the on-going application development processes
  • Overall increase operational efficiency, address compliance and strengthen the security posture of an organization resulting in reduced business risk

Why is application security important?

Across all major industries, the number of vulnerabilities discovered per site per year has increased. According to the 2020 Global Threat Intelligence Report by NTT Ltd., nearly 55% of all attacks in the previous year were application-specific attacks.

Additionally, as more organizations embrace agile DevOps processes, more applications are being released faster than ever. The quicker applications are released, particularly those comprised of reusable components, the faster more vulnerabilities are introduced. Even as digital transformation requires that software be built faster, application security is needed to reduce an organization’s overall business risk.

Over the years, our reports show that organizations that embed security testing within the SDLC achieve significantly better application security outcomes than those who do not. With the rise of strong privacy regulations like GDPR and the increasing potential for remotely accessible attacks, organizations should inspect web and mobile apps for privacy and protection of critical data. In recent years businesses have recognized application security as a business initiative and seen increased value to their business impact in terms of increasing revenue, decreasing costs, and reducing operational risks.

What are application security testing tools?

Dynamic Application Security Testing (DAST)

Dynamic Application Security Testing (DAST) is an essential part of any application security program and is the frontline of defense. By continuously and automatically testing applications (in production and pre-production environments), organizations get an accurate window into the true risk surface of these applications.

DAST detects a wide variety of technical vulnerabilities including but not limited to the following:

  • Application Misconfiguration
  • Directory Indexing
  • HTTP Response Smuggling
  • Improper Input Handling
  • Insufficient Transport Layer Protection
  • OS Commanding
  • Remote File Inclusion
  • SQL Injection
  • XML External Entities
  • XQuery Injection
  • Content Spoofing
  • Fingerprinting
  • HTTP Response Splitting
  • Improper Output Handling
  • Mail Command Injection
  • Path Traversal
  • Routing Detour
  • SSL Injection
  • Injection
  • Cross-Site Scripting
  • Format String Attack
  • Improper File System Permissions
  • Information Leakage
  • Null Byte Injection
  • Predictable Resource Location
  • Server Misconfiguration
  • URL Redirector Abuse
  • XPath Injection

WhiteHat Sentinel Dynamic rapidly and accurately identifies vulnerabilities in websites and web applications. This industry-leading dynamic application security platform strengthens website security and is ready to scale to meet any demand.

Static Application Security Testing (SAST)

Static Applications Security Testing (SAST) helps remediate critical code vulnerabilities earlier in the SDLC before they become security risks. By detecting and remediating vulnerabilities before the software is deployed, organizations can address high-risk issues earlier and reduce cost of AppSec remediation efforts.

SAST tools cover a variety of technical vulnerabilities including but not limited to the following:

  • Application Misconfiguration
  • Credential/Session Prediction
  • Directory Indexing
  • Insufficient Authorization/Authentication
  • Automatic Reference Counting
  • Cross Site Request Forgery
  • Information Leakage
  • Insufficient Transport Layer Protection
  • Insufficient Binary Protection
  • Cross Site Scripting
  • Injection Attacks
  • Interprocess Communication
  • OS Commanding
  • Insecure Cryptography
  • SQL Injection
  • Cryptographic Related Attacks

WhiteHat SAST customers use integrated Software Composition Analysis (SCA), which makes it easier to find and identify out-of-date third-party libraries and platforms. Inline SCA scanning embedded with SAST can help educate developers about the internal dependencies of inherited and legacy projects and code.

Mobile Application Security Testing (MAST)

Mobile developers often fail to secure mobile binaries, which are often the source of vulnerabilities and data leakage. Mobile application security focuses on finding and remediating software security vulnerabilities before apps move into production.

Mobile Application Security Testing scrutinizes a wide variety of vulnerabilities and privacy concerns on client, server, and network interaction including, but not limited to, the following:

  • Configuration Settings
  • Binary Analysis
  • Anti-Analysis
  • Jailbreak/Root Detection
  • Authentication/Authorization
  • Session Management

  • Cryptography
  • Data Handling
  • Data Storage
  • Handling of Personal Information
  • Certificates and cryptography

WhiteHat Sentinel Mobile is an industry-leading mobile application security testing solution that combines dynamic and static automated scanning and optional manual mobile application-layer penetration testing to produce safer mobile apps, faster.

API Security Testing

Application Programming Interface (APIs) is a set of protocols and tools for building application software allowing automation of common processes that interact with services. Most digital businesses rely on APIsto connect services and to transfer data. They are also the most common ways that microservices and containers communicate.

The increased usage and proliferation of sharing data has increased the surface area of attack making APIs the fastest growing attack targets.Unprotected APIs can lead to direct access to sensitive customer data and intellectual property openingdoors to data breaches for otherwise secure and tested applications. Building an effective API security strategy is essential to identify and prevent API attacks.

API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). Implementing API security testing is critical to prevent well-known attacks such as cross-site scripting (XSS) and SQL injections.

What are some application security testing best practices?

Some best practices:

  • Educate developers on how to build applications that are secure by design.
  • Practice zero-trust. Assume all third-party applications are untrusted until validated
  • Adapt business processes to include risk analysis program and use automated tools for in-depth testing and continuous monitoring. Combine DAST and SAST methodologies to achieve effective and long-term risk and cost reduction.
  • Build an effective API security strategy that includes comprehensivevulnerability scanning for web service APIs, public, private and internal facing APIs.
  • Mobile operating systems, architecture and development tools are significantly different from traditional web applications. Invest in more specialized training and appsec testing tools for secure mobile app development.

How to achieve evolutionary change in application security?

Level 1: Risk discovery and management

A phased approach to implementing appsec into the SDLC and monitoring the right set of metrics results in a sustainable and scalable approach to implementing app security within. Incorporate DAST to discover risk and use the application security statistics such as ‘window of exposure’ and ‘time to fix by risk’ as key performance indicators to measure the success of your appsec program over time.

Level 2: Release Assurance

Aim to ensure that a new release candidate does not add additional risk compared to the application’s current release. Additionally, the organization must aim to ensure that remediation activities have been successful in reducing the application’s risk profile. Integrate DAST and SAST into your software development lifecycle and leverage the application security statistics such as 'average time to fix' and 'vulnerability likelihood by class (SAST)' to baseline your organization's 'Release Assurance' strategy.

Level 3: Developer Enablement

Educate and empower developers throughput the SDLC and add AppSec tools to the developer workspace. Organizations must aim to reduce the number of vulnerabilities developers might be introducing into the release pipeline by bringing assessment and education into their workspace. Developers must be provided with application security tools that can be run in the developer’s own sandbox to eliminate security issues before they are committed to version control or the release pipeline.