October 31, 2016 By Alexa Bleecker 2 min read

Cyberattacks are becoming increasingly sophisticated and significant. The recent attack against DYN, for example, was the largest distributed denial-of-service (DDoS) attack to date, resulting in a massive disruption of service for numerous enterprises and affecting millions of people in the U.S. and Europe. Now more than ever, organizations need to take serious measures to protect themselves against cyberattacks.

One of the biggest security gaps organizations frequently neglect to address is application security. According to an IBM-sponsored Ponemon Institute study, 50 percent of organizations surveyed confessed that they budgeted zero dollars for application security testing, and one-third admitted they never tested applications for vulnerabilities.

Testing applications for security flaws goes well beyond simply preventing attacks. Application vulnerabilities can lead to lost or stolen data, which could potentially result in even more serious consequences, such as stakeholder lawsuits, extensive remediation costs and damage to your brand reputation.

Seven Ways to Optimize Your Application Security Testing Program

Companies fail to adequately secure applications due to time, budget, expertise and resource constraints. However, there are many common misconceptions about securing applications with technologies that are currently available. Here are seven ways to optimize your application security testing program:

1. Don’t Break the Bank

Application security testing solutions can be extremely cost effective. It can avoid potential costs associated with data breaches and generate a high overall return on investment (ROI). For example, one of our clients achieved 253 percent ROI by implementing IBM Security AppScan Source.

2. Choose the Right Option to Fit Your Business Needs

Service provider capabilities include static application security testing (SAST), dynamic application security testing (DAST), penetration testing and cognitive technology. You can also deploy a hybrid model by simultaneously leveraging on-premises and cloud-based application security testing solutions.

3. Alleviate Concerns About the Rush-to-Release Phenomenon

IBM Application Security on Cloud is quick and easy to implement because it is delivered as a service and permits developers to deploy applications rapidly without compromising security.

4. Use Consulting Services to Bridge the Skills Gap

Even if you don’t have deep application security expertise, consulting services are available to provide the right level of experience required to create and deploy secure applications.

5. Identify and Prioritize Vulnerabilities

Application security testing identifies and prioritizes issues based on their level of importance. It also determines whether the vulnerabilities result from cross-site scripting, SQL injection or other security flaws that are included in the OWASP Top 10 list.

[onespot-mobile-content]

6. Achieve Scalability With Application Security

It’s easy to add new technical capabilities as you grow. One IBM client, Migros, was able to scale its business while minimizing risk with application security solutions.

7. Enhance DevOps Initiatives

By incorporating security throughout the software development life cycle (SDLC), you can confirm that security is an established part of your agile process, rather than a costly afterthought.

Ultimately, you can quickly develop and deploy mobile and web applications while minimizing security risk to help prevent potential data breaches. It’s essential to employ a holistic approach that integrates security into your entire SDLC and to incorporate best practices for managing application security.

Special thanks to Neil Jones for his contributions to this blog.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today