As you can imagine, the application security testing industry has changed markedly since 2014. Cloud-based testing has become extremely popular as organizations have become more comfortable testing their applications using cloud-powered technology. Meanwhile, a growing number of businesses now view application security testing as a means to improve their security risk management preparedness and to promote DevOps efficiency, rather than solely focusing their attention on the technical findings of a single scan or two. Below are five critical steps for selecting an application security testing provider:
1. Familiarize Yourself With Application Security Testing Market Leaders
This is a critical first step in the process, and fortunately it’s also an extremely easy step to complete. We offer two complimentary industry analyst reports that you can review: the “2017 Gartner Magic Quadrant Report for Application Security Testing” and “The Forrester Wave™: Application Security, Q4 2014.” That industry research is well-respected by organizations around the world and can provide you with the baseline information that you require.
2. Get Up to Speed on Application Security Risk Management
Application security is no longer about simply scanning applications. Rather, it’s about improving your organization’s risk management profile. We offer two key resources to get you up to speed quickly on this important topic:
- Risk Management E-Guide: This comprehensive e-guide provides five convenient steps to create an application security discipline within your organization.
- Ponemon Institute’s State of Application Security Risk Management report: This detailed report distinguishes organizations’ actual risk management practices from urban legends frequently associated with the topic.
3. Test Drive Before Purchasing
There are many factors to consider when making an application security purchasing decision. Your organization may conduct a variety of testing techniques, such as static application security testing (SAST), dynamic application security testing (DAST) and interactive application security testing (IAST). You may also need to decide whether an on-premises or cloud-based solution (or a combination thereof) constitutes the optimal fit for your particular implementation. One of the best ways to evaluate potential vendors is to participate in their free trial offerings when available.
4. Prepare a Business Case for Your Executive Team
In a recent Ponemon Institute report, 60 percent of survey respondents confessed that their management teams underestimated potential application security risk, which jeopardized their ability to be fully effective at combating it. But the stark reality is that they, like you, rely on executive management for budgetary support and project prioritization. As a security professional, you know the business value of testing applications for potential vulnerabilities prior to releasing them. However, solid financial benefits are much more challenging to come by.
Measuring Financial Benefits
With that in mind, IBM recently released a new study conducted by Forrester Consulting titled “The Total Economic Impact™ (TEI) of IBM Security AppScan Source.” The goal of Forrester’s independent TEI study was to assess economic and business benefits of an organization’s purchase of IBM’s application security testing solutions. The IBM client participating in the study was a large, global enterprise that currently utilizes IBM Security AppScan Source. AppScan Source permits the client to perform SAST in its application development environment. The study revealed significant financial benefits of an AppScan Source deployment:
- An estimated ROI of 253 percent: Forrester defined ROI as a measure of a project’s expected return in percentage terms.
- A payback period of only six months: Forrester defined payback period as the breakeven point for an investment in AppScan Source. The payback period is achieved when the net benefits of a project (its benefits minus its costs) is equal to the organization’s initial investment.
- AppScan Source permitted IBM’s client to conduct code review and vulnerability remediation at a much earlier stage in the development process, resulting in a 90 percent cost savings compared to remediating findings at later stages in the development life cycle.
We encourage you to utilize this resource to help quantify benefits of a potential investment in application security testing for your executive team.
5. Review Customer Testimonials and Case Study Content
It can be extremely challenging for security providers to convince organizations to participate in customer testimonials or case studies because of the confidential nature of their security deployments. However, nothing is more valuable than a firsthand perspective from an application security testing provider’s client. For this reason, you should confirm that your provider has current case study information available for you to peruse. Here are recent examples from our application security testing client base:
Turkish Retail Giant
In this video, you’ll learn how a large retailer in Turkey utilizes application security testing and security information and event management (SIEM) solutions to support rapid business growth, and protect its business and clientele from evolving security threats.
Travel and Expense Software Provider
In this short video, you’ll find out how the organization leverages IBM Security AppScan to conduct application security testing for source code and production code to protect clients’ privileged travel and expense reporting information from potential attackers. You’ll also find out why the company’s contact wanted to give his IBM service contact “a big bear hug.”
Major Insurance Provider
This video explains how a major insurance provider utilizes IBM’s data security and application security testing solutions to continuously monitor and audit access across databases, warehouses and big data environments, and enforce its security policies in real time.
Large Global Automaker
This online case study describes how a leading automaker selected IBM and IBM partner Arxan to help secure its connected car ecosystem by protecting its apps and dealer tools from potential hacking threats.