Cyberattacks are becoming increasingly sophisticated and significant. The recent attack against DYN, for example, was the largest distributed denial-of-service (DDoS) attack to date, resulting in a massive disruption of service for numerous enterprises and affecting millions of people in the U.S. and Europe. Now more than ever, organizations need to take serious measures to protect themselves against cyberattacks.

One of the biggest security gaps organizations frequently neglect to address is application security. According to an IBM-sponsored Ponemon Institute study, 50 percent of organizations surveyed confessed that they budgeted zero dollars for application security testing, and one-third admitted they never tested applications for vulnerabilities.

Testing applications for security flaws goes well beyond simply preventing attacks. Application vulnerabilities can lead to lost or stolen data, which could potentially result in even more serious consequences, such as stakeholder lawsuits, extensive remediation costs and damage to your brand reputation.

Seven Ways to Optimize Your Application Security Testing Program

Companies fail to adequately secure applications due to time, budget, expertise and resource constraints. However, there are many common misconceptions about securing applications with technologies that are currently available. Here are seven ways to optimize your application security testing program:

1. Don’t Break the Bank

Application security testing solutions can be extremely cost effective. It can avoid potential costs associated with data breaches and generate a high overall return on investment (ROI). For example, one of our clients achieved 253 percent ROI by implementing IBM Security AppScan Source.

2. Choose the Right Option to Fit Your Business Needs

Service provider capabilities include static application security testing (SAST), dynamic application security testing (DAST), penetration testing and cognitive technology. You can also deploy a hybrid model by simultaneously leveraging on-premises and cloud-based application security testing solutions.

3. Alleviate Concerns About the Rush-to-Release Phenomenon

IBM Application Security on Cloud is quick and easy to implement because it is delivered as a service and permits developers to deploy applications rapidly without compromising security.

4. Use Consulting Services to Bridge the Skills Gap

Even if you don’t have deep application security expertise, consulting services are available to provide the right level of experience required to create and deploy secure applications.

5. Identify and Prioritize Vulnerabilities

Application security testing identifies and prioritizes issues based on their level of importance. It also determines whether the vulnerabilities result from cross-site scripting, SQL injection or other security flaws that are included in the OWASP Top 10 list.


6. Achieve Scalability With Application Security

It’s easy to add new technical capabilities as you grow. One IBM client, Migros, was able to scale its business while minimizing risk with application security solutions.

7. Enhance DevOps Initiatives

By incorporating security throughout the software development life cycle (SDLC), you can confirm that security is an established part of your agile process, rather than a costly afterthought.

Ultimately, you can quickly develop and deploy mobile and web applications while minimizing security risk to help prevent potential data breaches. It’s essential to employ a holistic approach that integrates security into your entire SDLC and to incorporate best practices for managing application security.

Special thanks to Neil Jones for his contributions to this blog.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…