In the 2000 movie “What Women Want,” fictional Chicago advertising executive Nick Marshall (played by Mel Gibson) slips and falls into the bathtub while holding a blow-dryer, nearly electrocuting himself. After the experience, he magically realizes that he can read the minds of the ladies in his life.
My recent experience at the Black Hat conference in Las Vegas made me think, “If we could read the minds of security professionals, what capabilities would they incorporate into the optimal application security testing solution?” Fortunately, I didn’t need to pull out a hair dryer and hop into the bathtub to conduct my analysis. Rather, I collected detailed customer feedback at IBM’s booth, which I’m pleased to share with you below. For additional validation, I consulted with my colleague Alexei Pivkine, IBM’s Global Team Lead for Application Security Technical Sales.
Four Core Application Security Testing Requirements
Although the technology behind application security testing can be quite complex, customers’ requirements are actually pretty straightforward. They want:
- Comprehensive audit functionality and the generation of accurate testing results;
- Convenient scanning capabilities with immediate insight into the areas of highest application risk;
- Consistent innovation by the application security provider, with the ability to support multiple testing options;
- Positive customer references.
You’ll find additional details on each of these requirements appears below.
1. “I need plenty of audit features and accurate testing results.”
Although application security marketing activities frequently focus on fast-evolving mobile- and cloud-based technologies, customers’ core requirements are actually much more basic. They include the availability of comprehensive audit features and the need for high testing accuracy.
Specifically, organizations are looking for application security testing solutions that help them:
- Address the largest number of attack vectors;
- Incorporate comprehensive audit features;
- Conduct tests that result in low false-positive and false-negative rates.
How can you find solutions that meet these stringent requirements? The best place to start is by consulting a third-party blog such as Security Tools Benchmarking, which recaps the number of audit features and provides accuracy metrics for major commercial and open-source testing technology providers.
2. “Scanning needs to be convenient for my team, and they need immediate access to results.”
With the current proliferation of application security testing technologies, testing has become more specialized. But as a result, customers are looking for solutions that are easy to use and don’t require significant advance training. For example, an application security on cloud platform facilitates convenient application security testing without requiring specialized user training.
3. “Our application security testing provider needs to innovate and support multiple testing options.”
Based on customer feedback, the following technical requirements are of most significant interest to application security professionals:
- The ability to analyze currently deployed technologies such as JavaScript, Flash and REST APIs;
- The ability to properly log into the testing site and stay in-session in order to identify issues that matter most;
- The capability to perform more than just dynamic application security testing (DAST). For example, the solution could support Interactive Application Security Testing (Glassbox IAST technology), Static Application Security Testing (SAST) and hybrid analysis for client-side JavaScript.
4. “I need access to positive customer references.”
Although they’re hard to come by in the security market because of confidentiality requirements, potential clients are looking for positive customer references from other organizations within their industry. Some of our key client testimonials appear below:
Turkish Retail Giant
In this video, you’ll learn how a large Turkish retailer leverages IBM’s application security testing and security information and event management (SIEM) solutions to support its rapid growth, and to protect its business and customer base from evolving security threats.
Travel and Expense Software Provider
In this short video, you’ll find out how the company utilizes IBM Security AppScan to conduct application security testing for source code and production code to protect clients’ privileged travel and expense reporting information from potential attackers. At the end, you’ll learn why the company’s contact wanted to give his IBM service contact “a big bear hug.”
Major Insurance Provider
This video explains how a high-profile North American insurance provider leverages IBM’s data security and application security testing solutions to continuously monitor and audit access across databases, warehouses and big data environments, and to enforce its security policies in real time.
To learn more, register for Black Hat USA 2017 and visit IBM Security at Booth #616 to see a demo of AppSec on Cloud.
Download the E-Guide: Five Steps to Achieve Risk-based Application Security Management
Major Events Content Strategist for IBM Security
Worldwide Technical Segment Leader for Application Security, IBM