The gold standard for creating an application security (AppSec) program is – and always will be – to follow best practices. By following preestablished and proven methods, you can ensure that you are maximizing the benefits of your AppSec program.
Unfortunately, time, budget, culture, expertise, and executive buy-in often restrict organizations from following best practices. But that doesn’t mean that you can’t create an impactful AppSec program. You should aim to follow best practices but – when you can’t – there are practical first steps you can take to position your program for future improvements.
Ideally, you should be using every testing type – static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing.
Each AppSec test has its own strengths and weaknesses, with no one tool able to do it all. If you choose not to employ a specific test, you could be leaving your application vulnerable. For example, if you don’t employ software composition analysis, you may miss vulnerabilities in your third-party code. And if you don’t employ dynamic analysis, you could miss configuration errors. But by using all of the testing types together, you can drive down risk across the entire application lifetime from development to testing to production.
If you don’t have the funds or support to employ every AppSec testing type, you should always begin with the test(s) that will have the most impact, in the shortest amount of time, for the least amount of money. This will depend on factors like your release cadence, risk tolerance, and budget.
For organizations releasing software less than four times a year, manual AppSec scans will probably suffice. But if you release software daily or weekly – likely in a CI/CD fashion – you will need to automate your AppSec scans with each code commit.
You also need to consider the speed of different scan types. Static analysis can provide immediate feedback with each commit. Penetration tests, on the other hand, are much slower because they rely on a human pen-tester to review the code.
But speed isn’t the only concern. You also need to consider the risk of your applications. An application housing sensitive data – like banking information – needs to undergo more in-depth AppSec tests than a lower-risk application. In-depth AppSec tests, like penetration testing, may take longer but they are critical in preventing cyberattacks. It really comes down to weighing the risk vs. time to market. In some instances, it may be okay to release software with low- or medium-severity risks. But for high-severity risks, you should break the build until the vulnerability is remediated.
Budget is also a major factor. Penetration tests are considerably more expensive than other testing types. So, if you’re on a tight budget, frequent pen tests may not be feasible. You might be better off pen-testing on an annual or bi-annual basis.
Once you’ve successfully implemented the AppSec testing type(s) that provides the most value to your organization, it’s time to start making the case for additional scans. As always, consider your budget, risk tolerance, and technology when adding to your AppSec mix.
To learn more about AppSec best practices and practical first steps, check out our guide, Application Security Best Practices vs. Practicalities: What to Strive for and Where to Start, and keep an eye out for our upcoming best practices blogs.