Application security has become a critical issue for large and midsize organizations. From high-profile data theft associated with Web applications to compliance requirements that impact applications of all shapes and sizes, securing your applications demands constant vigilance. Not only are the costs of security failures high, but so are the costs related to identifying defects and fixing vulnerabilities.

As the risks and consequences of security breaches continue to rise, comprehensive security protection can no longer be considered an afterthought, it must be built into every phase of your development life cycle. With so many security solutions available, enterprises like yours need to identify solutions that offer the most effective blend of capabilities and functionality to help reduce risks and overall costs. When evaluating application security and risk management solutions, however, you might find yourself confronted with vague product benefit statements and seemingly favorable pricing offers driven by vendors who want to steer purchasing decisions to their specific solutions.

How can you increase your organization’s leverage and make an educated decision? By carefully evaluating vendors against the key capabilities listed below, which typically characterize best-in-class security and risk management solutions. Decision makers in your organization will be able to select solutions that reduce security risk while simultaneously lowering the cost of addressing vulnerabilities. Your ultimate goal should be an integrated, end-to-end life cycle approach to security and risk management.

Your Vendor Selection Checklist

Does the vendor your organization is considering provide:

  • Comprehensive, advanced security testing and risk management technologies that permit you to identify areas of highest potential risk so that you can target those risks for future remediation?
  • Broad coverage of current Web-based and mobile application security technologies?
  • Comprehensive security program management capabilities, which can be applied to your entire application development life cycle?
  • Testing support for the large and diverse volume of applications that are currently deployed by your organization or are slated for future deployment?
  • Policies, reporting and work flow tools for security governance and risk management?
  • A broad and diverse portfolio of security solutions that can be deployed in conjunction with security testing technology to improve your overall security protection and reduce overall risk?

Once a set of solutions is evaluated against these criteria, you are bound to find a wide disparity between limited, one-size-fits-all security offerings and superior solutions that offer integrated, end-to-end life cycle approaches to application security and risk management.

Benefits of Early Application Security Testing

In our “IBM X-Force Threat Intelligence Quarterly – Q1 2014” report, we documented 8,330 security vulnerability disclosures in 2013, an increase of more than 1,000 disclosures since 2011. Of those vulnerabilities, roughly a third of them were targeted at Web applications. In its “2013 Cost of Data Breach Study: United States,” the Ponemon Institute estimated that data breaches cost companies an average of $188 per compromised record in 2012; major data breaches could easily end up costing your organization hundreds of thousands — if not millions — of dollars.

Countless security studies highlight the brutal fact that nearly every Web application contains vulnerabilities. If these vulnerabilities are not addressed proactively and result in a loss of customer data, your organization is likely to face costly lawsuits, damage to your brand image and an erosion of customer trust.

Not only are the costs of responding to such security incidents high, but the costs of identifying and fixing application defects that result in data breaches are also expensive in the first place. To maintain software release schedules, many organizations conduct security testing after their software exits the system testing/quality assurance (Q/A) phase. In fact, many defects aren’t even identified until applications reach production phase. The cumulative financial impact of such late-stage testing can be enormous. The National Institute of Standards and Technology (NIST) calculates that the cost of correcting a software error in the post-product release phase is approximately 30 times the cost of addressing the same issue during the coding phase of development.

It’s clear that the risks and consequences of security breaches continue to rise and that comprehensive security protection can no longer be considered an afterthought. Rather, security protection must be built into every phase of your development life cycle and also into your Q/A process.

Making Your Case for an Integrated, End-to-End Life Cycle Approach

With a wide range of application security solutions available, organizations need to weigh the relative benefits of each potential solution while also evaluating potential costs. For most organizations, an integrated, end-to-end life cycle approach to securing applications produces the best outcome.

However, many organizations still utilize a variety of point solutions to conduct security analysis, many of which are expensive to purchase and/or maintain and fail to provide comprehensive security testing. Often, point solutions offer primitive security governance processes that are limited in scope or require manual user intervention, limiting your ability to increase organizational efficiency and reduce costs.

But the benefits of comprehensive security and risk management solutions are compelling. Medium- and large-sized organizations that leverage best-in-class application security and risk management tools are able to:

  • Locate more vulnerabilities. By utilizing a comprehensive set of security testing tools that can be deployed at each stage of development, software development teams aren’t left guessing about testing coverage.
  • Accelerate discovery and tracking of security vulnerabilities. The more comprehensive the deployment of security testing procedures, the earlier the procedures can be applied in your software development life cycle. Consequently, vulnerability detection is promoted to an earlier stage of your development life cycle.
  • Reduce the cost of fixing security vulnerabilities. Moving remediation to an earlier point in the software development life cycle will save your organization time and money. As noted earlier, fixing a security issue in the coding stage results in much lower costs than eliminating it during the post-product release phase.
  • Reduce the cost of implementing security governance and risk management best practices. Built-in work flow and tools to support large-scale application security testing, manage security issues that are identified, reduce security risk, track compliance and integrate security intelligence analysis into the development life cycle are all essential components of effective application security management programs. The solution you choose should reduce your expenses while increasing efficiency. Furthermore, when developers see clear links between risks and the code that results from those risks, they can focus on building secure applications rather than spending an inordinate amount of time determining where risks might exist in the code base.

In my conclusion post to this piece, I’ll take a look at key capabilities and functionality of comprehensive testing solutions. My colleague, Katherine Holden, contributed to this blog.

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…