In her years working in the security space, Veracode's SVP of Product Marketing, and long time security professional, Sam King has often been asked if companies should secure all their applications, or only their most critical applications. We recently recorded a chalk talk with Sam, where she addresses this frequently asked customer question.

We also added in a transcript of the video below.

So I often get the question from customers – do I have to test all my applications or can I get away with just testing my most mission critical ones?

So here’s how I answer that – Why are you testing your applications to begin with? Ultimately it’s about protecting the data in your organization and applications are really the layer that sits around the data and transacts with it. So let’s imagine that this is the application layer that surrounds your data. But then you might have a website that your marketing department has created even for just a short time period, not even for the long term.

If you look at the attack trends that occurred in 2011, what you saw was attackers taking advantage of any externally facing web application. If you think about this web application here which is not a mission critical application because it’s not touching this critical data and if there is a SQL Injection vulnerability that exists in there, or if there is an XSS issue that exists in there – what we often saw happen in 2011 and even prior to that honestly, is that people took advantage of that particular vulnerability and use that to gain a foothold inside the network. Once they’re in they use a series of other attacks to get into the data.

So, is it important to test all of your applications? Well, it sort of is because all applications, particularly the externally facing ones, are your enterprise's new perimeter. That is the attack frontier and that provides an opportunity for an attacker to take advantage of these types of vulnerabilities to get inside of your network. Now, do you have to test all of your applications using the most comprehensive testing techniques from the get go? No. You can take a very pragmatic approach to developing your application security program. It all starts with discovery, if you don’t know that an application exists, you can’t test it. So you have to start by discovering your applications and then you can use a service such as Dynamic MP, standing for massive parallel, to get a very quick scan of all of your externally facing web applications. We did this for an organization where we tested 3,000 applications in eight days so you get a very quick understanding of all the vulnerabilities that exist in your external perimeter.

Now that you have that done you can start to advance your program a little but more and you could do what we call Dynamic DS, or deep scan. This is where you start authenticating these web applications and start getting deeper into the functionality of the application, or you could start testing internally facing applications as well. Once you have that under your belt, you can go to what we refer to as Static Analysis. I liken this to genetic testing – this is where we are looking at the entirety of the code base of that application so this (Dynamic MP) would be like getting a quick external temperature check, and this (Static Analysis) is like genetic testing. So you can perform differing and varying levels of inspection of your software to understand where the weaknesses are.

You don’t have to start here. You can start in a much simpler way and as your organization matures and develops all the processes around doing application security testing you can start to go down this path all the way to static analysis. That is how we would recommend that you test all of your applications very quickly and then progress down this path.

If you would like to learn more about SQL Injection or XSS, you can download our cheat sheets here.
SQL Injection Cheat Sheet
XSS Cheat Sheet

About Niru Raghavan

Niru Raghavan joined the Veracode team in late 2011 as an Acquisition Marketing Manager. In this role, Niru is responsible for demand generation and program management primarily for online marketing programs. Prior to joining Veracode, Niru held positions of increasing responsibility at Liberty Mutual and Staples, successfully planning and implementing sophisticated online and offline marketing initiatives. She has managed product development efforts, launch activities and online marketing programs geared toward mid to large sized businesses in select vertical markets. Her specialties include product marketing, marketing strategy, and market research/analysis. She is also a keen web analytics enthusiast and Occam’s Razor by Avinash Kaushik is her all time favorite blog.

Comments (2)

IT Consulting Guy | March 28, 2012 10:23 pm

Thank you for the information on Dynamic MP. The video really makes a lot of sense. Amazing enough, we also saw a lot of SQL and XSS attacks over the past few years. I Just signed up for the XSS Cheat Sheet, Thanks!

NRaghavan | March 29, 2012 9:20 am

Thank you for your kind comments on the post. We are glad you found it informative. If you need additional information on SQL injection, we also have a SQL Injection Cheat Sheet you can download from our site using this link:

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.