Application Security is rising on the CIO priority list. Looking to avoid big breaches, chief executives and boards are investing more in information security than ever before – reaching more than $90 billion this year.
With the rising prevalence of security postures, ideas and goals, there’s a lot of noise in the market about how to build the best AppSec program. But there are two main steps that should not be ignored.
1. Invest in Static Application Security Testing
As we wrote in December, Forrester suggests that “[U]sing static application security testing (SAST) as part of prerelease application testing can remove vulnerabilities so attackers can’t exploit them in production. SAST remains the best prerelease testing tool for catching tricky data flow issues and issues such as cross-site request forgery (CSRF) that tools such as dynamic application security testing (DAST) have trouble finding.”
SAST solutions are gaining steam, and they are an important compliment to dynamic (DAST) and interactive (IAST) security testing practices.
2. Prioritize Application Security Violation Findings
Conducting a contextual analysis of software can help reduce false positives that are frequently flagged by traditional code checking tools. In addition, contextual software analysis helps find more complex and sophisticated flaws, such as:
-Malicious code gaining forbidden access to data
-Lack of input validation
-Back door entry points
Most solutions that identify these vulnerabilities can be further customized to prioritize security violations important to your specific organization. It’s important to consider the OWASP Top 10 and CWE Top 25 most dangerous software errors in these cases.
Following these two primary steps will help you build a better AppSec program that identifies complex software risks that have higher potential to cause disruption in business operations.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.