IT organizations implement security at many levels or layers but one area that is sometimes overlooked is application-layer security.

Application security testing tools enable IT professionals, security specialists and software developers to discover, analyze and fix security problems. The goal is to minimize vulnerabilities and prevent exploitation.

Application security tools are an alternative to the time-consuming and error-prone methods of manual code review and are used by various teams in an IT organization –most notably information security, application development and quality assurance.

In a recent 451 Alliance information security survey of IT professionals, 14% of the participants cited application security as one of their top three ‘pain points.’

 
 
013019-Figure1.JPG
 
 

The need for application security is increasing rapidly, in part due to applications being more frequently accessed over networks.

 
 

Application Security Tools

 
 

Application security can include a number of potentially interrelated yet distinct types of software testing tools, including:

  • Dynamic Application Security Testing (DAST)
  • Static Application Security Testing (SAST)
  • Interactive Application Security Testing (IAST)
  • Run-time Application Self-Protection (RASP)
  • Software Composition Analysis (SCA)

Some of these tools require a high level of security and/or programming expertise, while others are more automated and can be used by non-specialists. These tools can be used at all stages of application development, from initial design through production.

 
 

Choose Your Weapon

 
 

Knowing which tool to use depends in part on the type of code being tested. For example, SAST tools are often used for source code analysis, which typically requires access to the application source code. As such, these tools are often used to analyze in-house custom-developed applications. In contrast, DAST tools are typically used for analysis of software in its running state, often in cases where the testers do not have access to the source code.

IAST tools analyze potential security vulnerabilities from within the application, typically in its running state, using software instrumentation and a combination of DAST and SAST techniques. IAST tools are becoming popular in agile development and DevOps environments characterized by continuous integration/continuous development (CI/CD) activity.

SCA tools are often used to analyze common (widely used) software components and libraries and are becoming popular for testing open source software.

Many of these tools can be used in conjunction with each other – although mixing tools from different vendors can pose compatibility and integration challenges.

 
 

Adoption Status

 
 

In this 451 Alliance survey, 37% of organizations reported they currently deploy application security products.

 
 
013019-Figure2.jpg
 
 

Another 10% say they are in pilot/proof of concept and 16% plan to implement application security within the next two years However, the fact that 37% of enterprises do not have plans to implement these tools indicates that these organizations could be at risk.

 
 

Vendor Landscape

 
 

An interesting finding in this survey is the popularity of open source tools.

 
 
013019-Figure3.jpg
 
 

The top four application security vendors ‘in use’ were IBM (26%), Qualys (20%), Tenable (18%) and Veracode (17%). Other vendors mentioned included Micro Focus (merged with Hewlett Packard Enterprise), WhiteHat Security, Checkmarx and Synopsis.

 
 

Types of Application Security Testing Tools

 
 

Regardless of the open source vs. commercial software debate, SAST and DAST – often used in combination – are still the dominant types of application security tools.

 
 
013019-Figure4.jpg
 
 

Where Do You Run App Security Tools?

 
 

Ideally, IT organizations should run application security testing tools throughout the software development lifecycle (SDLC), including production. This is particularly important in the context of DevOps and continuous integration and continuous delivery (CI/CD) development environments. However, 23% of 451 Alliance members using these tools run them only on production applications.

 
 
013019-Figure5.jpg
 
 

It should be noted that application security testing tools are not just used for internal testing of homegrown software. Other areas where these tools can be very useful include:

  • Cloud-hosted applications (cited by 45% of the respondents)
  • SaaS applications (32%)
  • Software developed by third-party partners (25%)
 
 

Barriers to Adoption

 
 

It’s easy to advise IT organizations to deploy software testing tools throughout the SDLC and production lifecycles and to use as many types of those tools as possible. But realistically, there are a number of reasons why organizations have not adopted these tools or are not fully using them.

As is the case for many emerging product categories, lack of staff expertise is the main factor holding back initial adoption or broader usage (37%).

 
 
013019-Figure6.jpg
 
 

Despite these inhibitors, it’s clear from this 451 Alliance survey that organizations are increasingly focused on the application piece of the overall information security puzzle.