August 2, 2016 By Neil Jones 4 min read

As you can imagine, the application security testing industry has changed markedly since 2014. Cloud-based testing has become extremely popular as organizations have become more comfortable testing their applications using cloud-powered technology. Meanwhile, a growing number of businesses now view application security testing as a means to improve their security risk management preparedness and to promote DevOps efficiency, rather than solely focusing their attention on the technical findings of a single scan or two. Below are five critical steps for selecting an application security testing provider:

1. Familiarize Yourself With Application Security Testing Market Leaders

This is a critical first step in the process, and fortunately it’s also an extremely easy step to complete. We offer two complimentary industry analyst reports that you can review: the “2017 Gartner Magic Quadrant Report for Application Security Testing” and “The Forrester Wave™: Application Security, Q4 2014.” That industry research is well-respected by organizations around the world and can provide you with the baseline information that you require.

2. Get Up to Speed on Application Security Risk Management

Application security is no longer about simply scanning applications. Rather, it’s about improving your organization’s risk management profile. We offer two key resources to get you up to speed quickly on this important topic:

3. Test Drive Before Purchasing

There are many factors to consider when making an application security purchasing decision. Your organization may conduct a variety of testing techniques, such as static application security testing (SAST), dynamic application security testing (DAST) and interactive application security testing (IAST). You may also need to decide whether an on-premises or cloud-based solution (or a combination thereof) constitutes the optimal fit for your particular implementation. One of the best ways to evaluate potential vendors is to participate in their free trial offerings when available.

4. Prepare a Business Case for Your Executive Team

In a recent Ponemon Institute report, 60 percent of survey respondents confessed that their management teams underestimated potential application security risk, which jeopardized their ability to be fully effective at combating it. But the stark reality is that they, like you, rely on executive management for budgetary support and project prioritization. As a security professional, you know the business value of testing applications for potential vulnerabilities prior to releasing them. However, solid financial benefits are much more challenging to come by.

Measuring Financial Benefits

With that in mind, IBM recently released a new study conducted by Forrester Consulting titled “The Total Economic Impact™ (TEI) of IBM Security AppScan Source.” The goal of Forrester’s independent TEI study was to assess economic and business benefits of an organization’s purchase of IBM’s application security testing solutions. The IBM client participating in the study was a large, global enterprise that currently utilizes IBM Security AppScan Source. AppScan Source permits the client to perform SAST in its application development environment. The study revealed significant financial benefits of an AppScan Source deployment:

  • An estimated ROI of 253 percent: Forrester defined ROI as a measure of a project’s expected return in percentage terms.
  • A payback period of only six months: Forrester defined payback period as the breakeven point for an investment in AppScan Source. The payback period is achieved when the net benefits of a project (its benefits minus its costs) is equal to the organization’s initial investment.
  • AppScan Source permitted IBM’s client to conduct code review and vulnerability remediation at a much earlier stage in the development process, resulting in a 90 percent cost savings compared to remediating findings at later stages in the development life cycle.

We encourage you to utilize this resource to help quantify benefits of a potential investment in application security testing for your executive team.

5. Review Customer Testimonials and Case Study Content

It can be extremely challenging for security providers to convince organizations to participate in customer testimonials or case studies because of the confidential nature of their security deployments. However, nothing is more valuable than a firsthand perspective from an application security testing provider’s client. For this reason, you should confirm that your provider has current case study information available for you to peruse. Here are recent examples from our application security testing client base:

Turkish Retail Giant

In this video, you’ll learn how a large retailer in Turkey utilizes application security testing and security information and event management (SIEM) solutions to support rapid business growth, and protect its business and clientele from evolving security threats.

Travel and Expense Software Provider

In this short video, you’ll find out how the organization leverages IBM Security AppScan to conduct application security testing for source code and production code to protect clients’ privileged travel and expense reporting information from potential attackers. You’ll also find out why the company’s contact wanted to give his IBM service contact “a big bear hug.”

Major Insurance Provider

This video explains how a major insurance provider utilizes IBM’s data security and application security testing solutions to continuously monitor and audit access across databases, warehouses and big data environments, and enforce its security policies in real time.

Large Global Automaker

This online case study describes how a leading automaker selected IBM and IBM partner Arxan to help secure its connected car ecosystem by protecting its apps and dealer tools from potential hacking threats.

Effectively Manage Application Security Risk In the Cloud

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today