As you can imagine, the application security testing industry has changed markedly since 2014. Cloud-based testing has become extremely popular as organizations have become more comfortable testing their applications using cloud-powered technology. Meanwhile, a growing number of businesses now view application security testing as a means to improve their security risk management preparedness and to promote DevOps efficiency, rather than solely focusing their attention on the technical findings of a single scan or two. Below are five critical steps for selecting an application security testing provider:

1. Familiarize Yourself With Application Security Testing Market Leaders

This is a critical first step in the process, and fortunately it’s also an extremely easy step to complete. We offer two complimentary industry analyst reports that you can review: the “2017 Gartner Magic Quadrant Report for Application Security Testing” and “The Forrester Wave™: Application Security, Q4 2014.” That industry research is well-respected by organizations around the world and can provide you with the baseline information that you require.

2. Get Up to Speed on Application Security Risk Management

Application security is no longer about simply scanning applications. Rather, it’s about improving your organization’s risk management profile. We offer two key resources to get you up to speed quickly on this important topic:

3. Test Drive Before Purchasing

There are many factors to consider when making an application security purchasing decision. Your organization may conduct a variety of testing techniques, such as static application security testing (SAST), dynamic application security testing (DAST) and interactive application security testing (IAST). You may also need to decide whether an on-premises or cloud-based solution (or a combination thereof) constitutes the optimal fit for your particular implementation. One of the best ways to evaluate potential vendors is to participate in their free trial offerings when available.

4. Prepare a Business Case for Your Executive Team

In a recent Ponemon Institute report, 60 percent of survey respondents confessed that their management teams underestimated potential application security risk, which jeopardized their ability to be fully effective at combating it. But the stark reality is that they, like you, rely on executive management for budgetary support and project prioritization. As a security professional, you know the business value of testing applications for potential vulnerabilities prior to releasing them. However, solid financial benefits are much more challenging to come by.

Measuring Financial Benefits

With that in mind, IBM recently released a new study conducted by Forrester Consulting titled “The Total Economic Impact™ (TEI) of IBM Security AppScan Source.” The goal of Forrester’s independent TEI study was to assess economic and business benefits of an organization’s purchase of IBM’s application security testing solutions. The IBM client participating in the study was a large, global enterprise that currently utilizes IBM Security AppScan Source. AppScan Source permits the client to perform SAST in its application development environment. The study revealed significant financial benefits of an AppScan Source deployment:

  • An estimated ROI of 253 percent: Forrester defined ROI as a measure of a project’s expected return in percentage terms.
  • A payback period of only six months: Forrester defined payback period as the breakeven point for an investment in AppScan Source. The payback period is achieved when the net benefits of a project (its benefits minus its costs) is equal to the organization’s initial investment.
  • AppScan Source permitted IBM’s client to conduct code review and vulnerability remediation at a much earlier stage in the development process, resulting in a 90 percent cost savings compared to remediating findings at later stages in the development life cycle.

We encourage you to utilize this resource to help quantify benefits of a potential investment in application security testing for your executive team.

5. Review Customer Testimonials and Case Study Content

It can be extremely challenging for security providers to convince organizations to participate in customer testimonials or case studies because of the confidential nature of their security deployments. However, nothing is more valuable than a firsthand perspective from an application security testing provider’s client. For this reason, you should confirm that your provider has current case study information available for you to peruse. Here are recent examples from our application security testing client base:

Turkish Retail Giant

In this video, you’ll learn how a large retailer in Turkey utilizes application security testing and security information and event management (SIEM) solutions to support rapid business growth, and protect its business and clientele from evolving security threats.

Travel and Expense Software Provider

In this short video, you’ll find out how the organization leverages IBM Security AppScan to conduct application security testing for source code and production code to protect clients’ privileged travel and expense reporting information from potential attackers. You’ll also find out why the company’s contact wanted to give his IBM service contact “a big bear hug.”

Major Insurance Provider

This video explains how a major insurance provider utilizes IBM’s data security and application security testing solutions to continuously monitor and audit access across databases, warehouses and big data environments, and enforce its security policies in real time.

Large Global Automaker

This online case study describes how a leading automaker selected IBM and IBM partner Arxan to help secure its connected car ecosystem by protecting its apps and dealer tools from potential hacking threats.

Effectively Manage Application Security Risk In the Cloud

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…