How application security testing needs to change in an agile, DevOps world

security-text-on-screen

In today’s dynamic cyber-attack landscape, a robust security strategy that looks at all attack surfaces is critical. Enterprises must tirelessly assess their current state of readiness and continually improve governance and processes to stay a step ahead of malicious actors.

Applications are one of the preferred attack vectors with up to 90% of successful breaches happening here. To protect against this threat, organizations can take a proactive approach to application security by integrating security into their software development lifecycle (SDLC).

To help solve this applications security conundrum, enterprises can leverage a consumption-based, automated applications security testing as a service solution. Delivering speed, flexibility and cost savings, an applications testing as a service approach can be broken down into two primary steps. First, a static applications security scan would leverage software to scan source code looking for vulnerabilities and weaknesses that can be exploited by attackers. Secondly, dynamic applications security testing would provide vulnerability and penetration testing against an application in a run time environment. That’s not to say that apps testing as a service is just a tools-based approach. Security experts should also delve into the reports to validate results and provide specific feedback to remediate the application to reduce risk and exposure.

Applications security is multi-faceted.  You have to consider security for new projects, while continuing to both identify risks and secure existing applications.  When undertaking transformation initiatives, modernizing and securing applications is essential.  There are many advantages to opting for application security testing as a service. The on-demand component is what’s exciting because it makes contracting much easier and more convenient. Because it’s a consumption-based service, you don’t have to sign up for a year’s worth of work – you can scan one application or scan a hundred. You are only paying for what you use rather than going out and buying a license, installing the tool base, running the scans, then trying to interpret the results by yourself.

Recent trends have made the need for on-demand application security testing even more essential. As enterprises move to agile development methodologies using DevOps environments to create applications, they will have frequent code releases, often every week to two weeks. You don’t want to be putting out code that is weak or has vulnerabilities, so you need to practice continuous security that provides for a governed process to ensure applications security is built into your processes and not just bolted on at the end.

This means that the testing portion of application security needs to move to earlier in the development cycle rather than waiting to write the entire code base, scan it, and then find a large group of errors. From an agile perspective, think of the power of having a scan run every time a developer saves code. It’s very beneficial to give developers the ability to see errors before the code is posted and then remediate those vulnerabilities and protect the environment. It allows them to start solving problems at scale rather than creating a mass of issues while they’re coding applications.

The rise of mobile and cloud have also made testing more essential than ever. In mobile and cloud environments, especially public clouds, you start taking some of your control of security away, because now you’re using external vendors and providers. If you can secure the application, you tighten it down and make it more difficult to breach into the systems, reducing your risk exposure.

Finally, increasing government-mandated security regulations are prompting the need for application security testing. Regulatory compliance is more complex and cumbersome than ever before.  Understanding the regulations that mandate applications security practices are becoming mainstream and integrating a security software development lifecycle is key to prioritization, adherence to mandates and protection of corporate assets and brand.

At DXC, we take a holistic view of applications security.  As part of a proactive approach, testing needs to be included as an integral component of your SDLC. You don’t want to wait to the end and throw in security as an afterthought, because when you do that, you will begin to fail. As the need grows, on-demand application security testing gives enterprises the ease and pricing flexibility that make it an attractive option.


Jeff-Misustin-headshotJeff Misustin is a Principal on DXC’s Application Security Portfolio Management team.  Jeff brings more than 20 years of experience in the computer technology field in the public and private sectors. He has a breadth of experience focusing primarily on application services with specific global responsibilities for applications security, along with experience in managing all facets of IT delivery. He has worked within complex environments—bringing innovative solutions to provide comprehensive successful outcomes for clients.

Trackbacks

  1. […] The same principle applies to cyber resilience. CISOs have to be as agile as the attackers and need new ways of deploying solutions to provide controls. Many of these solutions will come from cloud-based providers that deliver security on a […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: