Get Creative with Your Application Security Strategy

Application Security does not have a silver bullet. No single solution or approach will protect an organization from being vulnerable to attack. Listening to the mindset of DevSecOps, “everyone is responsible for security”, organizations should ensure that they are focusing on security as part of each technology layer: perimeter, access, servers, open-source or third-party libraries, and custom application development.

As attackers continue to be inventive, the application security risk landscape remains ever-changing, and IT professionals are seeing an increase in attacks that are both relatively new (DDoS via Mirai Botnet) and tried-and-true (SQL Injections) threats. These real threats are costing businesses money from downtime, to fraudulent transactions, or to embarrassing data breaches.

However, typical approaches to security seems to be skewed towards the perimeter – not what lies behind it.

“84% of breaches exploit vulnerabilities in the application layer, yet the ratio of spending between perimeter security and application security is 23-to-1.” – Gartner Maverick Research: Stop Protecting Your Apps; It’s Time for Apps to Protect Themselves (2014)

With the historical lack of investment into application security, and perhaps fueled by recent announcements on cyber-attacks, IT organizations should have a renewed focus on security within the application and its components. CAST can help organizations reduce software risk and strengthen their application security:

CAST Highlight can be used to conduct a rapid portfolio-level analysis to immediately discover common open source frameworks in your application and soon be able compare those to known vulnerabilities provided by the CWE.
CAST Application Intelligence Platform (AIP) visualizes the current software architecture and provides an automated inspection to understand what elements connect to sensitive data structures. It identifies data call pathways that are safe and which are intrinsically vulnerable to attack while helping users understand what controls are needed to prevent common attacks and enforce new architectural constructs to keep the most sensitive data secure.

Whether you utilize solutions like CAST’s system-level analysis to build a software risk scorecard, or build your own security assessment, security should be at the forefront of application development. Protection is key, because attackers are not going to quit, so we can never let our guard down.

Filed in: Application Failure Application Quality Application Security Risk & Security Software Security

Open source is part of almost every software capability we use today. At the very least libraries, frameworks or databases that get used in mission critical IT systems. In some cases entire systems being build on top of open source foundations. Since we have been benchmarking IT software for years, we thought we would set our sights on some of the most commonly used open source software (OSS) projects. Software Intelligence Report <> Papers

In our 29-criteria evaluation of the static application security testing (SAST) market, we identified the 10 most significant vendors â€” CAST, CA Veracode, Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock, SonarSource, and Synopsys â€” and researched, analyzed, and scored them. This report shows how each measures up and helps security professionals make the right choice. Forrester Wave: Static Application Security Testing, Q4 2017 Analyst Paper

This study by CAST reveals potential reasons for poor software quality that puts businesses at risk, including clashes with management and little understanding of system architecture. What Motivates Todayâ€™s Top Performing Developers Survey

Kyle Christiansen Technical Solutions Architect

Kyle Christiansen is a Technical Solutions Architect at CAST and has more than a decade of experience as a software engineer and team manager. He has designed systems and product architectures to deliver personalized, secure and highly available apps.