When an organization develops an application that connects their servers to the public Internet, security should be one of the highest priorities. A malicious attack could compromise customer data and bring tremendous damage to the company’s reputation.
Understandably, many companies are investing significant resources to avoid this situation. The current spending pattern is focused on corporate firewalls and anti-virus solutions. According to the Open Web Application Security Project (OWASP), up to 90 percent of investments occur in the network level but 97 percent of vulnerabilities are at the application level. In fact, Gartner estimates that up to 75 percent of attacks are targeting applications and up to 85 percent of such application vulnerabilities are found at the source code level. Clearly, there is a mismatch between what is being done and what needs to be done to secure the data.
Because applications are what make data useful, they have access to the heart of an organization’s critical data. Applications are front-facing and therefore exposed to hackers who are constantly trying to compromise the confidentiality, integrity and availability of the data.
Speed of development with Security
Increasingly, organizations are turning to the Agile methodology for software development using cross-functional teams, and there is an emphasis on speed to delivery. While security is acknowledged as being important, often not enough developer attention is spent on making it as robust as necessary.
One solution is to automate the process and make security flaws much easier to spot and remedy. Interactive Application Security Testing (IAST) does just that. “An IAST solution like Seeker enables organizations to find confirmed exploitable vulnerabilities across multi-tier web applications by integrating dynamic testing and runtime code analysis into the development lifecycle,” says Olli Jarva, Senior Solutions Architect with Synopsys Singapore. “It even suggests possible fixes through identification of vulnerable lines of code and providing relevant, context-based remediation advice.”
In 2016, Forrester Consulting conducted a customer study on the Total Economic Impact of implementing Seeker into the development process. The results show security vulnerabilities were remediated up to 85 percent faster, and those fixes occurred earlier in the software development lifecycle (SDLC). It prevented security vulnerabilities from leaving the coding phase, therefore reducing reliance on external security testers. The solution also lowered the risk of a data breach, which equated to US$537,030 in avoided costs.
What to look for in an IAST solution
Firstly, look for a solution that is highly accurate in its analysis, and designed to eliminate false positives. For example, Seeker achieves this by analyzing and correlating the end-to-end flow of data and run-time code execution using simulated attacks. Secondly, look for a seamless automation with the SDLC without any human intervention required. Next, it should be able to analyze data flow across multiple tiers and components such as frontend, backend and database to eliminate any blind spots. It should also be compliant with industry security standards and best practices like PCI-DSS, CWE Top 25 and OWASP Top 10. And finally, developers who may not be security experts must find it easy to use. It should not only highlight security flaws but also provide everything needed to help developers fix the vulnerability and write better code over time.
Click here for more information about IAST solutions.