7 Things to Ask Yourself About Software Security

Software affects virtually every aspect of an individual – finances, safety, government, communication, businesses, and even happiness. Vulnerable software applications are a leading cause of enterprise data breaches,[1] creating headaches for IT organizations, and financial and legal liabilities for businesses. However, most software is never tested for security flaws – because conventional testing approaches are inefficient, inaccurate, and expensive.

If your organization is considering implementing or improving application security, ask yourself seven questions:

1.   What is my software development model?

You may be using Agile, DevOps and high velocity software development, or a more traditional “waterfall” model. Whatever your approach, consider how you’ll integrate security testing into your existing or planned processes with minimal disruptions. The most common approaches – static, dynamic, or manual analysis – require time to scan or review your software, more time for software security experts to weed through results, and even more time for developers to remediate vulnerabilities and experts to review the fixes. These cumbersome and time-consuming processes lead to the biggest problem: that most software is deployed without adequate security testing.

To nip this problem in the bud, look for a testing solution that’s accurate, developer-friendly, and causes minimal friction among development, operations, and application security teams. It should deliver automatic and instant results that enable frequent testing throughout the development lifecycle. And it should integrate with the tools your developers, testers, operations and security teams are already using.

2.   Where is my software being deployed?

Is your software being built to run on-premises, in the cloud, a hybrid of clouds & containers, or all the above? How will you test every application for every platform? An ideal testing solution is compatible with cloud, container and other virtualized environments. It should run automatically as part of any new application or API developed on that platform, and require no changes to network configuration on devices such as firewalls, proxy servers, or Web application firewalls. Look for a solution that assesses vulnerabilities with every application, across every application instance, on every platform.                         

3.   Does my software use third-party libraries and frameworks?

Open source and third-party libraries and developer frameworks bring consistency, accelerated development and convenience to developers – along with a larger code base and more vulnerabilities. The application security solution you choose should be able to analyze your libraries and frameworks for Common Vulnerabilities and Exposures (CVE®), and ­alert you if your libraries or frameworks are being used in an unsafe way. Your solution should discover all the components within an application, fingerprint them for vulnerabilities, and report continuously the exact bill of materials. It should also indicate which classes of a library are being executed, and eliminate needless remediation of unused components.

4.   Does my software include Web services, APIs and Microservices?

Instead of maintaining a monolithic code base, modern software developers use Microservices, APIs, and Web services to speed deployment and improve functionality. But these services make your code more complex, and harder to secure. The application security testing solution you choose should fully support testing complex protocols, data formats, and frameworks for Web services including SOAP and REST, XML and JSON, Microservices, and APIs. It should maintain a complete, up-to-date inventory of both internal and external Web services, and their relationships, across an enterprise at all times. It should deliver accurate and continuous results regardless of where the Web services are hosted – including data center, internal cloud, external cloud, and containers.

5.   Can it test all my applications?

Because legacy security testing solutions require experts to review results, organizations need to test serially, one app at a time. To test every application, you need a better tool and a better process. Your solution should support testing every application in your portfolio, continuously and in parallel, and deliver instant and accurate results. Finally, your solution should empower developers – even those with little or no security expertise – to find and fix their own vulnerabilities early in the development cycle.

6.   Will my tests be accurate?

Believe it or not, most application security testing solutions have a big problem finding vulnerabilities. Tools that do static analysis of source code produce high false positive rates – these are false alarms that drive your developers crazy. Dynamic analysis tools that test running applications generate lots of false negatives – these omissions leave your code vulnerable. Organizations using static and dynamic analysis rely on application security experts to carefully aim those tools, parse the results, and come up with remediation advice.

To ensure accuracy, look for a solution that performs deeper analysis: inside the application code, and while the software is running. It should examine HTTP requests and responses, and analyze source code, runtime data flow, configuration, libraries, and more. You will get a more accurate view of your vulnerabilities, and how to fix them, by using  an application security tool that can access many different sources of information, and combine analysis techniques.

7.   Do I need application security experts?

If your organization is lucky enough to have people dedicated to application security, here’s how you can maximize their value:

• Reduce the use of inaccurate application security tools
• Choose an application security tool that gives them visibility and control over the entire application portfolio
• Make it easy for them to set security policies across your application portfolio, and establish best practices throughout your organization
• Offload the remedial and tedious tasks from your application security team, so they can tackle the toughest problems 

Be sure to evaluate any application security solution carefully before making an investment. Look at your current and future needs. Consider vendors in the application security market today, and how well their solutions might work in your current and planned environment. If your organization is already implementing application security, ask yourself how well it’s working, or if it could benefit from changes in tools, people, or processes.  

[1] Source: 2016 Verizon Data Breach Investigations Report