When it comes to application security (AppSec), it’s important to note that no one testing type can uncover every flaw. Each tool is designed with a different area of focus, along with various speeds and costs – so it’s necessary to employ a mix of testing types.
A good way to think about AppSec testing types is to compare them to health exams. You wouldn’t have a cholesterol test and assume your annual physical was complete. Similarly, you shouldn’t conduct a static analysis scan and assume you’ve covered all the bases.
In the chart below, you’ll notice that static analysis works on any type of application (web, desktop, mobile, etc.) and covers a broad range of programming languages. However, it can’t find business logic flaws or alert you to known vulnerabilities in open source components.
Penetration testing might look like it can uncover every vulnerability, but it too has its downsides. Penetration tests are manual, so not only are they time consuming and expensive but also the results are quickly outdated. And, since penetration testing is conducted in staging or production, it often creates unplanned work for the development team.
Most organizations know that they need to implement several testing types. In fact, a recent survey sponsored by Veracode and conducted by Enterprise Strategy Group (ESG), revealed that more than 71 percent of organizations use more than 10 different AppSec tools. But of these organizations surveyed, 84 percent answered that the number of AppSec tools they employ is posing a challenge.
Multiple testing types are necessary for a mature AppSec program, but they can be challenging to manage.
Why do multiple testing types cause a challenge at many organizations? Because most AppSec vendors only offer one or two testing types. So if an organization chooses a vendor that only offers static analysis, and they want to add more testing types, they have to employ more vendors.
Multiple vendors can be challenging for an organization to manage because the scan metrics will appear on separate dashboards, which makes it difficult to assess risk across the enterprise. The ESG study confirms this challenge with over 40 percent of respondents citing AppSec metrics as an ongoing issue.
34 percent of ESG survey respondents plan to consolidate vendors to alleviate the burden of multiple testing types.
Finding one vendor that offers a comprehensive set of AppSec tools – like Veracode – can alleviate the burden of vendor management. Veracode offers static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing which, if used together, can enable your organization to drive down risk across the entire application lifetime from development to testing to production.
Veracode Analytics provides metrics for all five offerings in one central location. Having metrics in one place allows organizations to assess the value of their scan types, pinpoint where further investments are needed, and compare the success of their program to similar organizations in the industry. Organizations can share the findings from their analytics with stakeholders or executives to show the return on investment or make a case for an increased AppSec budget.
Veracode application analysis tools cover web and mobile apps, as well as microservices in most major programming languages and frameworks, and development teams can automate analysis in the pipeline with Veracode's integrations.
By integrating tools into the pipeline, developers can easily conduct scans early and often, resulting in reduced security debt and faster time to deployment.
For additional information on AppSec tool proliferation, and to learn more about the 34 percent of respondents planning to consolidate vendors, check out the ESG report, Modern Application Development Security.