February 24, 2016 By Nir Almog 3 min read

Security testing is complicated. Application security tools require a lot of security-related effort and knowledge to use effectively. This is why many companies are looking for simple security solutions in the cloud.

In the last two years, I have been leading the development of a new software-as-a-service (SaaS) offering called Application Security on Cloud. It is a simple, Web- facing offering that enables you to run security testing for mobile, Web and desktop applications.

As you can guess, security is a top priority at IBM, especially when building these kinds of tools. We incorporate strong security practices in every step of our software development life cycle (SDLC), starting with the design all the way through to actual deployment and production environment testing. As part of our security practices, we are also required to run our own security tools on our own code and applications. We use both on-premises tools and the new cloud tools that we are building.

Security Testing Challenges? You’re Not Alone

While developing our product, my team has encountered similar challenges to the ones that our customers face — actually, we have a lot in common with our customers. We are a large enterprise company with many compliance and internal regulations, and we are required to use automatic security tools as part of the process of building applications and solutions.

Before I dive into hybrid cloud/on-premises security testing, we first need to consider the direction that most companies are moving in.

A few years back, most companies had only on-premises environments. They might have had their public site deployed in the cloud, but they did all their testing — including security testing — internally. As cloud evolved and people started to get more comfortable using cloud services, this also included security testing.

Learn How to Effectively Manage Application Security Risk in the Cloud

Another shift that we are seeing is more and more companies moving toward a hybrid environment. A hybrid environment is a cloud computing environment that uses a mix of on-premises, private cloud and third-party public cloud solutions.

Why Security Testing in the Cloud?

There are three main reasons why people are using cloud security tools instead of the traditional on-premises tools:

  1. Ease of use. The cloud-enabled tools are usually a lot easier to use and run. There is no deployment process and very minimal training required, if any.
  2. More flexibility. You have a wider range of prices and the ability to run more than one type of scan (DAST/SAST), all in the same place.
  3. Constant updates. You don’t have to worry about updating to the latest version; you are always up to date with the latest security policies.

So why are people still using on-premises security tools? It depends; the cloud is not a good solution for everyone. Some companies prefer to manage their own security. They have strict regulations and don’t want their data exposed in the cloud. They might have legacy tools and data that they still need to support, and there might be missing capabilities that only the on-premises tools can offer.

Whatever the reason, what we are seeing more and more is a demand for a hybrid solution of cloud and on-premises security. Companies want to be able to continue working with their on-premises security tools in order to meet their own regulations and support their internal environments but, at the same time, get all the benefits of cloud security solutions.

As we developed our own cloud offering, we wanted a well-orchestrated solution. We wanted to be able to run scans both on-premises and in the cloud. We wanted to be able to push the results from each environment but control where the data goes. We wanted to be able to integrate to other systems like our build and IDE and also to have everything centralized in a single risk management dashboard. We wanted a good hybrid cloud/on-premises solution.

To conclude, as we move more and more toward hybrid solutions in general, a hybrid security testing environment looks like a natural development and something many companies will be focusing on in the coming year.

Learn How to Effectively Manage Application Security Risk in the Cloud

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today