Can a single approach to application security solve all of your problems? Relying on a single testing solution to protect your applications is essentially like trying to protect your house from burglars, with a single alarm. Now imagine the house is packed with highly-valuable possessions and is located in a dangerous area – much like the conditions of your publicly-exposed applications. Few would feel confident that a single alarm would adequately protect them.
Similarly, there is no “silver bullet” when it comes to application security testing – any experienced AppSec professional knows that. To mitigate the risk of software exposure, you need to integrate security throughout your SDLC. It’s all about multiple layers, and multiple touchpoints. While it may seem obvious that no single application security solution can fully protect your applications, let’s break it down to really understand why that is.
Effective application security programs use testing solutions that scan code both statically during development, and interactively (dynamic) at run-time. Why are both of these testing types required? Firstly, because each one can identify different types of security vulnerabilities. For example, interactive testing is better at detecting deployment configuration flaws, while static testing finds SQL injection flaws more easily. Secondly, with the speed of today’s development cycles — and the speed with which software changes and the threat landscape evolves — it would be foolish to assume that applications will be vulnerability-free after the development phase, or that code in run-time doesn’t need to be tested. As a result, both types of testing are desperately needed, since no stand-alone testing solution can effectively perform both static and interactive testing.
Beyond static and interactive testing solutions, a software composition analysis solution is also required. Today’s applications are essentially composed of hundreds of open source libraries that make up as much as 80% of the total code. With the speed of today’s development cycles, developers don’t have time to write every line of code from scratch, and why should they, when so much ready-made code is available. While there is no doubt that open source is the backbone of mass innovation, it is also opening a huge door for attackers. Every vulnerability in an open source library that your developers use is in fact, a vulnerability in your application(s). As such, it is not enough to just look at your proprietary code. Effective application security entails both assessment of your home-grown code, plus assessing and creating a dynamic inventory of your third-party code.
In order to have an effective application security program, it’s clear you need to make use of different tools and solutions throughout your SDLC. However, this does not necessarily mean that you need to handle each tool separately from a different vendor. When it comes to AppSec solutions, the real secret to having your cake and eating it too is to find a vendor that offers a completely integrated platform that performs static, interactive, and open source testing. With a single integrated software security platform, you can gain more than you would with multiple-silo solutions. With an integrated platform, not only will you benefit from a single support point, reduced TCO, and better ROI; but you will also gain from the product synergy that comes with an integrated platform, such as unified policies, results correlations, and centralized management.
To learn more about the need to scan both your static code and running application, check out our blog on The Power Couple in the DevSecOps Era
*** This is a Security Bloggers Network syndicated blog from Blog – Checkmarx authored by Stephen Gates. Read the original post at: https://www.checkmarx.com/2019/06/17/demystifying-the-myth-of-an-appsec-silver-bullet/