The other night on “The Big Bang Theory,” the character Sheldon referenced Archimedes: “Give me a lever long enough and a fulcrum on which to place it, and I shall move the world.” In other words, with the right tool (the lever) and support (the fulcrum), anything can be accomplished. But when it comes to solving our cybersecurity problems, things don’t always seem doable.
A big part of the problem is people. What’s the “hardest recruiting that there is on the planet today”? According to United States Chief Information Officer Tony Scott, it’s finding people with cybersecurity skills. And even if your company can find the right people, it’s a good bet they’re not going to come cheap.
This is especially true in the case of application security and testing. But while the application security skills gap widens, the need for better and faster testing of software has never been greater. Apps power our cars, our medical devices and our energy grids, and they house plenty of personal information.
We know we need to test our software for abuse cases and coding flaws, but we can’t find or afford the talent to do it. We don’t have the right lever, we don’t have the right support and we don’t have enough people with the talent to move that lever. While there is no way to replace an experienced, highly skilled application penetration tester, there are parts of the application security-testing puzzle that can benefit from the automation lever.
Let’s take a look at where and how automated application security testing can be leveraged to address the cybersecurity skills gap.
It’s almost a truism in the industry at this point: The earlier in the software development life cycle that an error or exposure can be identified, the faster and cheaper it will be to eradicate it. This means building security into development during the requirement definition and architecture phases.
It also means catching coding errors as early as possible — preferably during implementation. Testing tools that integrate with the build process can provide developers with mission-critical early warnings on where and how their software is vulnerable. Additionally, smart tools that provide suggestions on how to fix the errors mean developers can remediate issues quickly and get back to work on functionality.
Not only is it hard to find the right skill set for app testing, it can also be challenging to find budget and resources to even set up the infrastructure for it. Very often, application testing requires separate servers, software and admins to configure and manage the systems.
Tuning software security testing tools takes skill, and few developers have the time or support to acquire those skills. But with a smart, cloud-based testing tool, developers don’t need to be experts in security testing, and companies don’t need to invest in additional hardware.
Whether your company is going agile or is post-DevOps, it’s a good bet that your development cycles are a lot faster than they were a decade ago. That means your security software testing has to be faster, too.
Developers need tools that can keep up with accelerated delivery schedules, such as the ability to upload code or applications to the cloud at night and have a full test report waiting the next morning. For even tighter turnaround times, teams can integrate cloud-based software security testing directly into the build environment.
About Those Pen Testers
You’ve built security in, the dev team is humming along with automated application and security testing in the cloud and updates and functionality are being pushed out every couple of days. Application security problem solved, right?
Well, not quite. As important and valuable as automated, cloud-based application security testing is, it’s not going to catch every problem — yet (but check back with us in a few years after we’ve expanded cognitive technologies in application security testing). Organizations still need to employ top-notch penetration testers to assess applications before launch and in production.
Automated application security testing isn’t about replacing human pen testers: It’s about spending scarce resource dollars as effectively as possible. Let the easy-to-recruit employees and cloud-based tests catch the vulnerabilities and errors that can be remediated early in the process. That way, the expensive, hard-to-recruit human testers can concentrate on finding truly complex problems.
Automation is your lever and the cloud is your fulcrum — now go move the application security testing world.
To Learn More
To test-drive IBM Application Security on Cloud for yourself, register now for our complimentary trial.