Application security: 2 Steps to Improve Your Secure Engineering


Application Security is rising on the CIO priority list. Looking to avoid big breaches, chief executives and boards are investing more in information security than ever before – reaching more than $90 billion this year.

With the rising prevalence of security postures, ideas and goals, there’s a lot of noise in the market about how to build the best AppSec program. But there are two main steps that should not be ignored. 

1. Invest in Static Application Security Testing

As we wrote in December, Forrester suggests that “[U]sing static application security testing (SAST) as part of prerelease application testing can remove vulnerabilities so attackers can’t exploit them in production. SAST remains the best prerelease testing tool for catching tricky data flow issues and issues such as cross-site request forgery (CSRF) that tools such as dynamic application security testing (DAST) have trouble finding.”

SAST solutions are gaining steam, and they are an important compliment to dynamic (DAST) and interactive (IAST) security testing practices.

2. Prioritize Application Security Violation Findings 

Conducting a contextual analysis of software can help reduce false positives that are frequently flagged by traditional code checking tools. In addition, contextual software analysis helps find more complex and sophisticated flaws, such as:

-Malicious code gaining forbidden access to data
-Lack of input validation
-Back door entry points

Most solutions that identify these vulnerabilities can be further customized to prioritize security violations important to your specific organization. It’s important to consider the OWASP Top 10 and CWE Top 25 most dangerous software errors in these cases.

Application Security Violation Finding

Following these two primary steps will help you build a better AppSec program that identifies complex software risks that have higher potential to cause disruption in business operations.

To learn more about SAST and get a complementary copy of the Forrester Wave on Static Application Security Testing, go here.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Srinivas Kedarisetty
Srinivas Kedarisetty Security Product Owner
Srinivas has more than 18 years of experience in leading IT delivery teams across India, the U.S. and Europe while managing product security, microservices and SDK. Highly skilled in developing and driving products from conception through the entire product lifecycle, Srinivas has a track record of improving products and teams to create value for customers.
Load more reviews
Thank you for the review! Your review must be approved first
New code

You've already submitted a review for this item