Security testing is complicated. Application security tools require a lot of security-related effort and knowledge to use effectively. This is why many companies are looking for simple security solutions in the cloud.
In the last two years, I have been leading the development of a new software-as-a-service (SaaS) offering called Application Security on Cloud. It is a simple, Web- facing offering that enables you to run security testing for mobile, Web and desktop applications.
As you can guess, security is a top priority at IBM, especially when building these kinds of tools. We incorporate strong security practices in every step of our software development life cycle (SDLC), starting with the design all the way through to actual deployment and production environment testing. As part of our security practices, we are also required to run our own security tools on our own code and applications. We use both on-premises tools and the new cloud tools that we are building.
Security Testing Challenges? You’re Not Alone
While developing our product, my team has encountered similar challenges to the ones that our customers face — actually, we have a lot in common with our customers. We are a large enterprise company with many compliance and internal regulations, and we are required to use automatic security tools as part of the process of building applications and solutions.
Before I dive into hybrid cloud/on-premises security testing, we first need to consider the direction that most companies are moving in.
A few years back, most companies had only on-premises environments. They might have had their public site deployed in the cloud, but they did all their testing — including security testing — internally. As cloud evolved and people started to get more comfortable using cloud services, this also included security testing.
Learn How to Effectively Manage Application Security Risk in the Cloud
Another shift that we are seeing is more and more companies moving toward a hybrid environment. A hybrid environment is a cloud computing environment that uses a mix of on-premises, private cloud and third-party public cloud solutions.
Why Security Testing in the Cloud?
There are three main reasons why people are using cloud security tools instead of the traditional on-premises tools:
- Ease of use. The cloud-enabled tools are usually a lot easier to use and run. There is no deployment process and very minimal training required, if any.
- More flexibility. You have a wider range of prices and the ability to run more than one type of scan (DAST/SAST), all in the same place.
- Constant updates. You don’t have to worry about updating to the latest version; you are always up to date with the latest security policies.
So why are people still using on-premises security tools? It depends; the cloud is not a good solution for everyone. Some companies prefer to manage their own security. They have strict regulations and don’t want their data exposed in the cloud. They might have legacy tools and data that they still need to support, and there might be missing capabilities that only the on-premises tools can offer.
Whatever the reason, what we are seeing more and more is a demand for a hybrid solution of cloud and on-premises security. Companies want to be able to continue working with their on-premises security tools in order to meet their own regulations and support their internal environments but, at the same time, get all the benefits of cloud security solutions.
As we developed our own cloud offering, we wanted a well-orchestrated solution. We wanted to be able to run scans both on-premises and in the cloud. We wanted to be able to push the results from each environment but control where the data goes. We wanted to be able to integrate to other systems like our build and IDE and also to have everything centralized in a single risk management dashboard. We wanted a good hybrid cloud/on-premises solution.
To conclude, as we move more and more toward hybrid solutions in general, a hybrid security testing environment looks like a natural development and something many companies will be focusing on in the coming year.
Learn How to Effectively Manage Application Security Risk in the Cloud
Development Manager for Application Security on Cloud, IBM