Many companies have significant investments in network security, but it’s not enough because a significant chunk of all cyber-attacks are happening on the application layer. Cyber criminals are increasingly targeting the application stack for exploitation.
According to the U.S. Department of Homeland Security (DHS), 90% of security incidents result from exploits against defects in software. The Forrester Wave: Application Security Report says that companies rush to build and use applications without thinking about the security of the application itself. The Global Information Security Workforce Study published by the International Information Systems Security Certification Consortium (ISC)2 claims that 30% of companies never scan for vulnerabilities during code development. These are all astounding findings!
Companies need to improve how they find and fix vulnerabilities and to reduce the risk created by the proliferation of vulnerable applications used on a daily basis. A good application security program has to start with a systematic process for assessing code during an application’s development stage requiring software assessments at every stage of the development process, rather than at the end of the cycle. There is a significant amount of pressure on development teams to produce functional applications quickly and the emphasis on functionality and speed means security is generally left behind.
Companies face adversaries who are motivated by money, politics and other reasons to find vulnerabilities two they can steal sensitive and valuable information. One of the ways cyber criminals are doing this is by exploiting security vulnerabilities introduced or not remedied during the development cycle of the software. Many companies often require their developers only do the bare minimum for security; scanning code once rather than continuously.
Static and dynamic analyses are two of the most popular types of security tests. There are many vendors in the market specializing in the field of application testing and security: some are big and others are smaller providing niche solutions. Companies must choose carefully which security testing to implement.
Typically, vulnerabilities found through the use of static analysis have a higher fix rate than those found by dynamic analysis. Static analysis compared with dynamic analysis is a more thorough and a more cost-efficient approach because of its ability to detect bugs at an early phase of the software development life-cycle.
Current times and challenges require companies to be vigilant in securing sensitive data to avoid costly and embarrassing data breaches. As part of an overall security posture, companies must not overlook the value of static application security testing. Given the inherent risk involved, an application vulnerability can cripple customer trust. Static application security testing is a must have tool in any environment developing applications.