Application security has become a critical issue for large and midsize organizations. From high-profile data theft associated with Web applications to compliance requirements that impact applications of all shapes and sizes, securing your applications demands constant vigilance. Not only are the costs of security failures high, but so are the costs related to identifying defects and fixing vulnerabilities.

As the risks and consequences of security breaches continue to rise, comprehensive security protection can no longer be considered an afterthought, it must be built into every phase of your development life cycle. With so many security solutions available, enterprises like yours need to identify solutions that offer the most effective blend of capabilities and functionality to help reduce risks and overall costs. When evaluating application security and risk management solutions, however, you might find yourself confronted with vague product benefit statements and seemingly favorable pricing offers driven by vendors who want to steer purchasing decisions to their specific solutions.

How can you increase your organization’s leverage and make an educated decision? By carefully evaluating vendors against the key capabilities listed below, which typically characterize best-in-class security and risk management solutions. Decision makers in your organization will be able to select solutions that reduce security risk while simultaneously lowering the cost of addressing vulnerabilities. Your ultimate goal should be an integrated, end-to-end life cycle approach to security and risk management.

Your Vendor Selection Checklist

Does the vendor your organization is considering provide:

  • Comprehensive, advanced security testing and risk management technologies that permit you to identify areas of highest potential risk so that you can target those risks for future remediation?
  • Broad coverage of current Web-based and mobile application security technologies?
  • Comprehensive security program management capabilities, which can be applied to your entire application development life cycle?
  • Testing support for the large and diverse volume of applications that are currently deployed by your organization or are slated for future deployment?
  • Policies, reporting and work flow tools for security governance and risk management?
  • A broad and diverse portfolio of security solutions that can be deployed in conjunction with security testing technology to improve your overall security protection and reduce overall risk?

Once a set of solutions is evaluated against these criteria, you are bound to find a wide disparity between limited, one-size-fits-all security offerings and superior solutions that offer integrated, end-to-end life cycle approaches to application security and risk management.

Benefits of Early Application Security Testing

In our “IBM X-Force Threat Intelligence Quarterly – Q1 2014” report, we documented 8,330 security vulnerability disclosures in 2013, an increase of more than 1,000 disclosures since 2011. Of those vulnerabilities, roughly a third of them were targeted at Web applications. In its “2013 Cost of Data Breach Study: United States,” the Ponemon Institute estimated that data breaches cost companies an average of $188 per compromised record in 2012; major data breaches could easily end up costing your organization hundreds of thousands — if not millions — of dollars.

Countless security studies highlight the brutal fact that nearly every Web application contains vulnerabilities. If these vulnerabilities are not addressed proactively and result in a loss of customer data, your organization is likely to face costly lawsuits, damage to your brand image and an erosion of customer trust.

Not only are the costs of responding to such security incidents high, but the costs of identifying and fixing application defects that result in data breaches are also expensive in the first place. To maintain software release schedules, many organizations conduct security testing after their software exits the system testing/quality assurance (Q/A) phase. In fact, many defects aren’t even identified until applications reach production phase. The cumulative financial impact of such late-stage testing can be enormous. The National Institute of Standards and Technology (NIST) calculates that the cost of correcting a software error in the post-product release phase is approximately 30 times the cost of addressing the same issue during the coding phase of development.

It’s clear that the risks and consequences of security breaches continue to rise and that comprehensive security protection can no longer be considered an afterthought. Rather, security protection must be built into every phase of your development life cycle and also into your Q/A process.

Making Your Case for an Integrated, End-to-End Life Cycle Approach

With a wide range of application security solutions available, organizations need to weigh the relative benefits of each potential solution while also evaluating potential costs. For most organizations, an integrated, end-to-end life cycle approach to securing applications produces the best outcome.

However, many organizations still utilize a variety of point solutions to conduct security analysis, many of which are expensive to purchase and/or maintain and fail to provide comprehensive security testing. Often, point solutions offer primitive security governance processes that are limited in scope or require manual user intervention, limiting your ability to increase organizational efficiency and reduce costs.

But the benefits of comprehensive security and risk management solutions are compelling. Medium- and large-sized organizations that leverage best-in-class application security and risk management tools are able to:

  • Locate more vulnerabilities. By utilizing a comprehensive set of security testing tools that can be deployed at each stage of development, software development teams aren’t left guessing about testing coverage.
  • Accelerate discovery and tracking of security vulnerabilities. The more comprehensive the deployment of security testing procedures, the earlier the procedures can be applied in your software development life cycle. Consequently, vulnerability detection is promoted to an earlier stage of your development life cycle.
  • Reduce the cost of fixing security vulnerabilities. Moving remediation to an earlier point in the software development life cycle will save your organization time and money. As noted earlier, fixing a security issue in the coding stage results in much lower costs than eliminating it during the post-product release phase.
  • Reduce the cost of implementing security governance and risk management best practices. Built-in work flow and tools to support large-scale application security testing, manage security issues that are identified, reduce security risk, track compliance and integrate security intelligence analysis into the development life cycle are all essential components of effective application security management programs. The solution you choose should reduce your expenses while increasing efficiency. Furthermore, when developers see clear links between risks and the code that results from those risks, they can focus on building secure applications rather than spending an inordinate amount of time determining where risks might exist in the code base.

In my conclusion post to this piece, I’ll take a look at key capabilities and functionality of comprehensive testing solutions. My colleague, Katherine Holden, contributed to this blog.

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…