We all know how important it is to secure your organization’s Web, mobile and desktop applications, but how do you maintain critical application security during the software development life cycle (SDLC)?

Evolving State of Application Security

During the development process, a large amount of new code is added to applications being developed. Of course, all of us want to write the code as securely as we can. However, the problem is that most of us don’t have the skills and/or knowledge to really know what we are defending the applications from.

In addition, attackers’ techniques are constantly evolving, and there are many attack vectors that don’t directly target your code. Many attacks leverage weaknesses in your IT infrastructure or third-party components to reach your applications, databases or other valuable resources.

In cases like those, solely scanning your own code won’t provide you with the security coverage you need.

Making the Case for Application Security Testing on Cloud

There are many on-premise application security testing solutions on the market, and generally they do a great job. But for smaller organizations or special application security projects at larger organizations, on-premise solutions can be prohibitively expensive. Integrating an on-premise solution into your SDLC can also be complex and frequently requires specialized skills to configure properly.

In those specialized use cases, cloud solutions are the way to go since:

  • No specialized security expertise is required.
  • Configuration is usually straightforward.
  • Certain solutions provide an API that can be integrated into your build and deployment systems.
  • Cloud solutions can be less expensive than an on-premise licensing model.

Taking Your Application Security to Cloud Nine

Take, for example, IBM Application Security on Cloud. The configuration is very basic; you require no more than the website’s URL and access credentials if applicable. It provides an API that can be easily integrated into your deployment system. In addition to performing application security testing on your Web applications, you can conveniently scan mobile and desktop apps. It generates a detailed report that your development team can use to remediate vulnerabilities and report progress to key stakeholders.

By utilizing the API, you can trigger security scans in just a few lines of code. Additionally, by incorporating cloud technology, you can save lots of time and money while still maintaining application security during the SDLC. This is critical because the earlier you detect security vulnerabilities in the development process, the easier and less expensive it is to remediate them.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…