Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

The Application Security Testing Conundrum

It is my humble opinion that we have allowed our daily rush into an increasingly digital world to negatively affect our ability to address challenges. We look at the world in the sharp, square and discreet lens of digital and ignore the smooth and contiguous thinking of analog.

It is my humble opinion that we have allowed our daily rush into an increasingly digital world to negatively affect our ability to address challenges. We look at the world in the sharp, square and discreet lens of digital and ignore the smooth and contiguous thinking of analog.

This phenomenon can be readily seen in the world of software security, where there is a preponderance of binary sounding decisions that may have an analog solution. Static application security testing or dynamic application security testing? On premises or managed services? The answer may simply be “yes” with lots of shading based on each organization’s needs.

The funny thing about the rush to apply digital thinking to software security is that at its heart, software security is fighting a very analog pursuit. Yes, software is a digital manifestation, but identifying and exploiting flaws and bugs in software is a highly creative and largely human endeavor. In other words, it is a very analog exercise. Logic would say that to stop an analog exercise, analog thinking might be in order.

Code AnalysisLet me take the managed service versus on premises deployment question for example. My experience, validated by my discussions with industry analysts, is that organizations with a mature software security initiative (SSI) tend to use both methods. For high profile, high risk applications, they likely will do testing on premises with their own team and a set of tools. For the other applications in their portfolio, they use managed services to provide them full breadth of portfolio coverage without the need to invest in staff and additional products.

The analog answer in not just for mature organizations – An organization getting started with a testing program may have on premises as their goal. However, installing a new product, ramping up staff, establishing expertise, and building processes and procedures take time and push back the benefits of testing the software. The organization can use managed services to offload some of the initial testing while they ramp up the on premises testing machine, and slowly transition off managed services over time.

Back to the static versus dynamic question – It is well known that static and dynamic find very different vulnerabilities, and even when combined leave some vulnerabilities un-identified. Savvy organizations have learned how to use a mix of the two testing types to increase their coverage and lower their risk. They go even more analog by varying what test is applied to what application based on factors like risk.

How did we get to this digital thinking? As the software security market emerged and evolved, vendors appeared with solutions to the problem of testing applications, each taking a unique angle to the problem. Some were SAST, some DAST. Some on premises, some managed services. Then the marketing machines kicked in employing a derivation of Maslow’s Law of the Instrument – If your only tool is a hammer then every problem looks like a nail. The vendors set out to convince the market that their problem – the nail – could only be driven by a very specific hammer, which was of course their product or service. I often refer to the RSA Conference as a hammer salesperson convention.

In my previous article, “Make a New Year’s Resolution to Get Serious About Software Security”, I threw out several challenges. One was to challenge your application security testing vendor portfolio to ensure you have not been lulled into a status quo. Look for partners that take a more smooth and contiguous approach that blends multiple products and services so you are not artificially locked into digital thinking.

I also warned against the Box Checker mentality, which can also breed a highly digital mindset. This is because many organizations limit themselves to running tests simply to satisfy a regulatory mandate or another compelling event and are happy just to check the box. Such an approach naturally puts you on the path of least resistance where you seek the easy button product that will get the box checked. It lulls you into digital thinking.

My challenge for those involved in software security is to step away from a digital mindset and embrace some analog thinking. Walk away from the sharp edges and embrace a more open minded approach. Blend multiple products, offerings and approaches to what best fits the needs of your organization. Use the flexibility of this mindset to enable agility so the organization can quickly adapt to market conditions, emerging threats, and the evolution of the business. Eschew a cookie cutter approach for the right stuff for the job outlook. Don’t be afraid to engage new technologies to see what value they can bring your organization.

Take it to the next level – Consider how to break out of the traditional testing cycles and push testing deeper into the development cycle. Or get really analog and build security into every application by starting with secure architecture and design. You may find that some smooth, contiguous thinking puts you and your organization in a much better place to reduce risk and eliminate many of the common bugs and flaws found in software. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.