As you can imagine, the application security testing industry has changed markedly since 2014. Cloud-based testing has become extremely popular as organizations have become more comfortable testing their applications using cloud-powered technology. Meanwhile, a growing number of businesses now view application security testing as a means to improve their security risk management preparedness and to promote DevOps efficiency, rather than solely focusing their attention on the technical findings of a single scan or two. Below are five critical steps for selecting an application security testing provider:

1. Familiarize Yourself With Application Security Testing Market Leaders

This is a critical first step in the process, and fortunately it’s also an extremely easy step to complete. We offer two complimentary industry analyst reports that you can review: the “2017 Gartner Magic Quadrant Report for Application Security Testing” and “The Forrester Wave™: Application Security, Q4 2014.” That industry research is well-respected by organizations around the world and can provide you with the baseline information that you require.

2. Get Up to Speed on Application Security Risk Management

Application security is no longer about simply scanning applications. Rather, it’s about improving your organization’s risk management profile. We offer two key resources to get you up to speed quickly on this important topic:

3. Test Drive Before Purchasing

There are many factors to consider when making an application security purchasing decision. Your organization may conduct a variety of testing techniques, such as static application security testing (SAST), dynamic application security testing (DAST) and interactive application security testing (IAST). You may also need to decide whether an on-premises or cloud-based solution (or a combination thereof) constitutes the optimal fit for your particular implementation. One of the best ways to evaluate potential vendors is to participate in their free trial offerings when available.

4. Prepare a Business Case for Your Executive Team

In a recent Ponemon Institute report, 60 percent of survey respondents confessed that their management teams underestimated potential application security risk, which jeopardized their ability to be fully effective at combating it. But the stark reality is that they, like you, rely on executive management for budgetary support and project prioritization. As a security professional, you know the business value of testing applications for potential vulnerabilities prior to releasing them. However, solid financial benefits are much more challenging to come by.

Measuring Financial Benefits

With that in mind, IBM recently released a new study conducted by Forrester Consulting titled “The Total Economic Impact™ (TEI) of IBM Security AppScan Source.” The goal of Forrester’s independent TEI study was to assess economic and business benefits of an organization’s purchase of IBM’s application security testing solutions. The IBM client participating in the study was a large, global enterprise that currently utilizes IBM Security AppScan Source. AppScan Source permits the client to perform SAST in its application development environment. The study revealed significant financial benefits of an AppScan Source deployment:

  • An estimated ROI of 253 percent: Forrester defined ROI as a measure of a project’s expected return in percentage terms.
  • A payback period of only six months: Forrester defined payback period as the breakeven point for an investment in AppScan Source. The payback period is achieved when the net benefits of a project (its benefits minus its costs) is equal to the organization’s initial investment.
  • AppScan Source permitted IBM’s client to conduct code review and vulnerability remediation at a much earlier stage in the development process, resulting in a 90 percent cost savings compared to remediating findings at later stages in the development life cycle.

We encourage you to utilize this resource to help quantify benefits of a potential investment in application security testing for your executive team.

5. Review Customer Testimonials and Case Study Content

It can be extremely challenging for security providers to convince organizations to participate in customer testimonials or case studies because of the confidential nature of their security deployments. However, nothing is more valuable than a firsthand perspective from an application security testing provider’s client. For this reason, you should confirm that your provider has current case study information available for you to peruse. Here are recent examples from our application security testing client base:

Turkish Retail Giant

In this video, you’ll learn how a large retailer in Turkey utilizes application security testing and security information and event management (SIEM) solutions to support rapid business growth, and protect its business and clientele from evolving security threats.

Travel and Expense Software Provider

In this short video, you’ll find out how the organization leverages IBM Security AppScan to conduct application security testing for source code and production code to protect clients’ privileged travel and expense reporting information from potential attackers. You’ll also find out why the company’s contact wanted to give his IBM service contact “a big bear hug.”

Major Insurance Provider

This video explains how a major insurance provider utilizes IBM’s data security and application security testing solutions to continuously monitor and audit access across databases, warehouses and big data environments, and enforce its security policies in real time.

Large Global Automaker

This online case study describes how a leading automaker selected IBM and IBM partner Arxan to help secure its connected car ecosystem by protecting its apps and dealer tools from potential hacking threats.

Effectively Manage Application Security Risk In the Cloud

More from Application Security

Securing Your SAP Environments: Going Beyond Access Control

Many large businesses run SAP to manage their business operations and their customer relations. Security has become an increasingly critical priority due to the ongoing digitalization of society and the new opportunities that attackers exploit to achieve a system breach. Recent attacks related to corrupt data, stealing personal information and escalating privileges for remote code execution all highlight the new and varied entry points threat actors have taken advantage of. Attackers with the appropriate skills could be able to exploit…

Does Follina Mean It’s Time to Abandon Microsoft Office?

As a freelance writer, I spend most of my day working in Microsoft Word. Then, I send drafts to clients and companies across the globe. So, news of the newly discovered Microsoft Office vulnerability made me concerned about the possibility of accidentally spreading malware to my clients. I take extra precautions to ensure that I’m not introducing risk to my clients. Still, using Microsoft Office was something I did many times a day without a second thought. I brought up…

3 Reasons Why Technology Integration Matters

As John Donne once wrote, “No man is an island entire of itself.” With digitalization bridging any distance, the same logic could be applied to tech. Threat actors have vast underground forums for sharing their intelligence, while security professionals remain tight-lipped in a lot of data breach cases. Much like the way a vaccine can help stop the spread of infectious diseases, sharing threat intelligence and defense strategies can help to establish a more secure future for everyone.  So what…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…