Why Do I Need Another Application Security Tool?

If you’re like most organizations, you’ve got an array of application security tools.  Some of them are probably used a lot, some are incredibly irritating, some never seem to work, and some are shelfware.  You’ve probably got a mix of open source and commercial tools as well.

Software Development Moves Faster than Security

But the application security landscape keeps on moving. Tools that provided good value just a few years ago are barely functional now.

Here are just a few of the advances in software development that are making security analysis more difficult. Even for human code reviewers and security testers, these advances make application security hard to test.  Static and dynamic tools haven’t advanced much in the past decade, and these advances are preventing them from working on an ever-increasing number of applications.

• Service Oriented Architecture – Services are basically impossible for dynamic scanners to test because the interface and responses are essentially unknown.  Static tools can’t handle the proliferation of frameworks. 

• Custom Protocols and Data Formats – Dynamic tools can’t intercept and decipher these custom formats, and static tools can’t recognize the custom parsers as potentially dangerous input.

• Libraries and Components – Explosive growth in the use of components has dramatically increased the size and complexity of applications, making both static and dynamic less effective. 

• Frameworks – Application frameworks have their own sophisticated security controls that are difficult to verify. Their sheer complexity makes security analysis harder.

• Agile and DevOps – Continuous integration and delivery require continuous security results, and traditional application security approaches can’t scale. 

• Portfolio Scale – It’s not uncommon for enterprises to have hundreds or thousands of applications. Clearly solutions have to scale easily, and that means no experts involved.

So, the question is, when is the right time to add another application security tool?  As I look at the future of software and where these trends are going, I think it’s pretty easy to predict that organizations are going to continue pushing application software development.  Applications are going to continue to get larger and more complex, process increasingly sensitive data, and use more components and frameworks. In addition, it’s pretty clear that software development will continue to accelerate, leaving most traditional security activities in the dust.

Is It Time for a New Tool?

Ask yourself if your tools are compatible with the way you expect to be building applications as you go forward. For most software development organizations, I think the following factors are critical.

• Continuous – As software development continues to accelerate, security tools have to be able to provide real time results continuously during development, test, staging, and even production.  Otherwise they will irritate development and won’t get used. Continuous tools also save money by getting developers feedback instantly and early in the lifecycle. If your application security tools aren’t continuous, it’s time to change.

• Scalability – Application portfolios aren’t getting any smaller, yet traditional tools struggle just to cover a small percentage of your applications. The key to scalability is that your security tools have to be easy for anyone to use, even if they don’t know anything about security.  If they require experts to install, configure, run, or handle the results they simply won’t scale. If your appsec tools can’t operate at portfolio scale, it’s time to change. 

• Coverage and Accuracy – Nothing will kill an application security program faster than false alarms. These non-findings take just as long as real vulnerabilities to investigate, so they are expensive and frustrating with zero benefit. If you don’t feel like your tools are analyzing your applications with good vulnerability coverage and excellent accuracy, it’s time to change.

Software development is a fast-moving unstoppable juggernaut. So application security has to adapt to changes in the way we build software.  And that means constantly evaluating whether your toolset is compatible with the way you build software.

Developing a robust application security program does not need to be a daunting task...

Perhaps, all it takes is rethinking your existing program and moving to one that leverages a continuous application security (CAS) approach. Organizations practicing CAS quickly determine how a new risk affects them, design a defense strategy, and measure their progress to 100% coverage. By implementing eight functions within an enterprise you can assemble an effective application security program.