Security Experts:

The Application Security Testing Conundrum

It is my humble opinion that we have allowed our daily rush into an increasingly digital world to negatively affect our ability to address challenges. We look at the world in the sharp, square and discreet lens of digital and ignore the smooth and contiguous thinking of analog.

This phenomenon can be readily seen in the world of software security, where there is a preponderance of binary sounding decisions that may have an analog solution. Static application security testing or dynamic application security testing? On premises or managed services? The answer may simply be “yes” with lots of shading based on each organization’s needs.

The funny thing about the rush to apply digital thinking to software security is that at its heart, software security is fighting a very analog pursuit. Yes, software is a digital manifestation, but identifying and exploiting flaws and bugs in software is a highly creative and largely human endeavor. In other words, it is a very analog exercise. Logic would say that to stop an analog exercise, analog thinking might be in order.

Code AnalysisLet me take the managed service versus on premises deployment question for example. My experience, validated by my discussions with industry analysts, is that organizations with a mature software security initiative (SSI) tend to use both methods. For high profile, high risk applications, they likely will do testing on premises with their own team and a set of tools. For the other applications in their portfolio, they use managed services to provide them full breadth of portfolio coverage without the need to invest in staff and additional products.

The analog answer in not just for mature organizations - An organization getting started with a testing program may have on premises as their goal. However, installing a new product, ramping up staff, establishing expertise, and building processes and procedures take time and push back the benefits of testing the software. The organization can use managed services to offload some of the initial testing while they ramp up the on premises testing machine, and slowly transition off managed services over time.

Back to the static versus dynamic question - It is well known that static and dynamic find very different vulnerabilities, and even when combined leave some vulnerabilities un-identified. Savvy organizations have learned how to use a mix of the two testing types to increase their coverage and lower their risk. They go even more analog by varying what test is applied to what application based on factors like risk.

How did we get to this digital thinking? As the software security market emerged and evolved, vendors appeared with solutions to the problem of testing applications, each taking a unique angle to the problem. Some were SAST, some DAST. Some on premises, some managed services. Then the marketing machines kicked in employing a derivation of Maslow’s Law of the Instrument - If your only tool is a hammer then every problem looks like a nail. The vendors set out to convince the market that their problem – the nail – could only be driven by a very specific hammer, which was of course their product or service. I often refer to the RSA Conference as a hammer salesperson convention.

In my previous article, “Make a New Year's Resolution to Get Serious About Software Security”, I threw out several challenges. One was to challenge your application security testing vendor portfolio to ensure you have not been lulled into a status quo. Look for partners that take a more smooth and contiguous approach that blends multiple products and services so you are not artificially locked into digital thinking.

I also warned against the Box Checker mentality, which can also breed a highly digital mindset. This is because many organizations limit themselves to running tests simply to satisfy a regulatory mandate or another compelling event and are happy just to check the box. Such an approach naturally puts you on the path of least resistance where you seek the easy button product that will get the box checked. It lulls you into digital thinking.

My challenge for those involved in software security is to step away from a digital mindset and embrace some analog thinking. Walk away from the sharp edges and embrace a more open minded approach. Blend multiple products, offerings and approaches to what best fits the needs of your organization. Use the flexibility of this mindset to enable agility so the organization can quickly adapt to market conditions, emerging threats, and the evolution of the business. Eschew a cookie cutter approach for the right stuff for the job outlook. Don’t be afraid to engage new technologies to see what value they can bring your organization.

Take it to the next level - Consider how to break out of the traditional testing cycles and push testing deeper into the development cycle. Or get really analog and build security into every application by starting with secure architecture and design. You may find that some smooth, contiguous thinking puts you and your organization in a much better place to reduce risk and eliminate many of the common bugs and flaws found in software. 

view counter
Jim Ivers is Senior Director of Marketing for the Software Integrity Group at Synopsys. Jim is a 30-year technology veteran who has spent the last ten years in IT security. Prior to Cigital, Jim was the CMO at companies such as Covata, Triumfant, Vovici, and Cybertrust, a $200M security solutions provider that was sold to Verizon Business. Jim also served as VP of Marketing for webMethods and VP of Product Management for Information Builders.