What features are critical to the success of your AppSec program?

The 2022 Gartner® Critical Capabilities for Application Security Testing report provides helpful guidance for teams looking to create an AppSec program optimized for their business needs.

Cybersecurity Live - Boston

There are two cars in my driveway right now. One was built in 1978, and what’s great is that it’s easy to work on. It’s a simple vehicle, and most repairs can be done with just half a dozen tools: two screwdrivers, three wrenches, and a hammer (you still need a hammer).

The other car was built in 2020, and I’m not working on that one. It’s far more sophisticated and complicated than the 1978, and my mechanic uses a dizzying array of specialist tools and diagnostic systems to make sure everything is working properly.

And the same goes for software. As the software we create has become more sophisticated and complicated, the range of security testing tools needed to test that software has grown. In fact, most organizations today use dozens of tools and techniques to test their software for vulnerabilities.

But which should you use? The answer to this question depends on the type of software you develop and how you deliver it. Gartner® recently released its 2022 Critical Capabilities for Application Security Testing report. It provides an overview of the most important tools and techniques for five specific use cases, along with ratings and reviews of vendors who provide these tools. Let’s take a look at the report’s five use cases and the differences in their respective application security needs.

Download report

Maximize enterprise application security

Gartner defines the first use case as being focused on the needs of organizations with a wide range of applications and development methodologies and therefore requiring a holistic approach to application security. In other words, if your team is creating software that is not your product but rather the main enabler of your business (for example, it is the means by which your customers access your products or services), this case of use applies to you (even if you are not a large organization).

The complex composition and delivery of enterprise applications requires that security be considered for all application components and at all stages of the application lifecycle. To meet these needs, organizations are increasingly adopting a supply chain risk management approach, where multiple tools are used in concert to provide visibility and control of security risks on proprietary software and services. , open source and third-party, as well as DevOps. and the cloud infrastructure used to deliver applications to end users.

Learn to secure your software supply chain

Integrate security into DevOps

DevSecOps is perhaps the most widely used but least understood term in information security. Gartner simply states that this use case is focused on the requirements of organizations that invest heavily in DevOps and the rapid, iterative development and delivery of software that comes with it.

Unsurprisingly, for application security testing (AST), the focus is also on tools that support modern, developer-centric, and automated security analysis. Building security in DevOps requires teams to prioritize three things:

  1. Developer empowerment, provide developers with fast and effective tools that help them fix security flaws while they code.
  2. Smart AST Orchestrationoptimizing automated security testing and ensuring pipelines continue to operate at full speed.
  3. Risk-Based Vulnerability Correlationhelping teams reduce the noise of their automated security test results to focus remediation on what matters most to the business.

Learn more about how to integrate security into your DevOps program

Integrate security into continuous testing

This is where the use cases start to overlap a bit. Gartner says this third use case focuses on the needs of organizations wanting to integrate AST into their CI environment and/or wanting to ensure their testing adapts to the changing attack surface of their applications. Many organizations have heavily automated testing programs, but may not consider themselves “DevOps shops”, or at least not yet.

Organizations in this category may seek to move from manual dynamic application security testing (DAST) test model centered on a combination of automated static AST (SAST), software composition analysis (SCA), and DAST. However, many traditional DAST solutions do not integrate well into automated CI pipelines. Interactive AST (IAST) has become an automation-friendly alternative to traditional DAST, allowing teams using test automation solutions like Selenium to convert their automated functional testing into dynamic application security testing.

Learn more about Seeker interactive security tests

Securing applications in the cloud

There is also considerable overlap between Gartner’s prescriptions for cloud-native applications and DevSecOps. The main difference is that DevSecOps puts a little more emphasis on developer empowerment, while cloud-native apps puts a little more emphasis on Infrastructure as code (IaC) and containers that are at the heart of most cloud application environments.

Since many cloud-native applications are also “enterprise” applications, the focus on supply chain security software also applies here. However, it is important to understand the impacts of cloud architecture on the attack surface of these applications, which typically use a mix of open source components, third-party APIs, serverless functions, containers, and IaCs. .

Learn more about Synopsys solutions for cloud and container security

Meet the unique security needs of mobile and client applications

As the label indicates, the fourth use case focuses on software that runs on client hardware. For Gartner, this means mobile applications, which often require specialized testing tools and techniques to emulate the target mobile device(s) for the application.

However, many challenges for mobile applications also extend to other forms of client-side software, such as network device firmware, embedded software, and IoT devices. In most cases, testing of this software is difficult to automate, requires direct access or emulation of hardware, and includes testing of APIs or network protocols used for communication with other systems and services. If you’re building this type of software, you probably already have specialized tools for unit and integration testing. The challenge is to find complementary tools and services to test. security flaws.

Learn more about Synopsys Application Security Testing Tools and Services

Build your AppSec program

There’s no doubt that it can be difficult for security and development teams to assemble the right toolkit to ensure that their users can be confident that the software they provide to them is secure. But as Gartner illustrates in the Critical Capabilities for Application Security Testing report, if you step back and think about the use cases your team is trying to support, a framework for making your tool selections emerges.

As for me, I’ll stick to tinkering on the ’78 on the weekends and leave the diagnostics and service of the ’20 to the shop where they have the right tools (and skills) for the job!

Download the 2022 Gartner Critical Capabilities for Application Security Testing Report |  Synopsis

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner is a registered trademark of Gartner, Inc. and/or its subsidiaries in the United States and internationally and is used herein with permission. All rights reserved.

Ryan H. Bowman