Application security testing is finally mainstream, after years of effort. Whether it’s compliance-driven or a result of the increasing realization that information security is about a lot more than just firewalls, application security testing is happening in most organizations. Here at Veracode, we test thousands of apps a year – and that number is only growing. All of this testing is great! It’s bringing awareness to security flaws that may have otherwise lived in the wild until being exploited. However, it has surfaced a larger, more challenging issue – what do you do after the test is complete and you have your results? “Fix them!” is the obvious answer – but it isn’t always that simple. Let’s talk about a few of the things that get in the way:
None of these are exactly technical problems – these are management issues. IT leadership and security and development teams can take a few strategies to ensure that application security testing leads to effective remediation:
Veracode helps support these activities in several ways. Our self-service testing platform makes it simple for developers to rescan applications. Additionally, our APIs can integrate with build platforms, simplifying the testing process even further. Our security consulting team is available to all customers to provide technical remediation support for flaws identified in the testing process. And our program management team helps to build effective application security testing processes. Application security testing without a clear remediation plan can be, in some ways, worse than no testing at all. Testing without a remediation plan shows that the organization tried to find security flaws, but didn’t follow the process all of the way through. That is the type of mistake that can lead to some major finger pointing and potential liability in the case of a security breach. And while each organization is different, what consistently works in most cases is to empower both the security and development teams to take charge of their security testing processes, with the clear goal in mind of fixing the identified flaws. Nobody wants to release flawed code, but sometimes teams are pressured to do just that. Making security testing a seamless part of the development cycle will improve the overall security of the business, leading to happier customers, investors, and - developers!