In the 2000 movie “What Women Want,” fictional Chicago advertising executive Nick Marshall (played by Mel Gibson) slips and falls into the bathtub while holding a blow-dryer, nearly electrocuting himself. After the experience, he magically realizes that he can read the minds of the ladies in his life.

My recent experience at the Black Hat conference in Las Vegas made me think, “If we could read the minds of security professionals, what capabilities would they incorporate into the optimal application security testing solution?” Fortunately, I didn’t need to pull out a hair dryer and hop into the bathtub to conduct my analysis. Rather, I collected detailed customer feedback at IBM’s booth, which I’m pleased to share with you below. For additional validation, I consulted with my colleague Alexei Pivkine, IBM’s Global Team Lead for Application Security Technical Sales.

Four Core Application Security Testing Requirements

Although the technology behind application security testing can be quite complex, customers’ requirements are actually pretty straightforward. They want:

  • Comprehensive audit functionality and the generation of accurate testing results;
  • Convenient scanning capabilities with immediate insight into the areas of highest application risk;
  • Consistent innovation by the application security provider, with the ability to support multiple testing options;
  • Positive customer references.

You’ll find additional details on each of these requirements appears below.

1. “I need plenty of audit features and accurate testing results.”

Although application security marketing activities frequently focus on fast-evolving mobile- and cloud-based technologies, customers’ core requirements are actually much more basic. They include the availability of comprehensive audit features and the need for high testing accuracy.

Specifically, organizations are looking for application security testing solutions that help them:

  • Address the largest number of attack vectors;
  • Incorporate comprehensive audit features;
  • Conduct tests that result in low false-positive and false-negative rates.

How can you find solutions that meet these stringent requirements? The best place to start is by consulting a third-party blog such as Security Tools Benchmarking, which recaps the number of audit features and provides accuracy metrics for major commercial and open-source testing technology providers.

2. “Scanning needs to be convenient for my team, and they need immediate access to results.”

With the current proliferation of application security testing technologies, testing has become more specialized. But as a result, customers are looking for solutions that are easy to use and don’t require significant advance training. For example, an application security on cloud platform facilitates convenient application security testing without requiring specialized user training.

3. “Our application security testing provider needs to innovate and support multiple testing options.”

Based on customer feedback, the following technical requirements are of most significant interest to application security professionals:

  • The ability to analyze currently deployed technologies such as JavaScript, Flash and REST APIs;
  • The ability to properly log into the testing site and stay in-session in order to identify issues that matter most;
  • The capability to perform more than just dynamic application security testing (DAST). For example, the solution could support Interactive Application Security Testing (Glassbox IAST technology), Static Application Security Testing (SAST) and hybrid analysis for client-side JavaScript.

4. “I need access to positive customer references.”

Although they’re hard to come by in the security market because of confidentiality requirements, potential clients are looking for positive customer references from other organizations within their industry. Some of our key client testimonials appear below:

Turkish Retail Giant
In this video, you’ll learn how a large Turkish retailer leverages IBM’s application security testing and security information and event management (SIEM) solutions to support its rapid growth, and to protect its business and customer base from evolving security threats.

Travel and Expense Software Provider
In this short video, you’ll find out how the company utilizes IBM Security AppScan to conduct application security testing for source code and production code to protect clients’ privileged travel and expense reporting information from potential attackers. At the end, you’ll learn why the company’s contact wanted to give his IBM service contact “a big bear hug.”

Major Insurance Provider
This video explains how a high-profile North American insurance provider leverages IBM’s data security and application security testing solutions to continuously monitor and audit access across databases, warehouses and big data environments, and to enforce its security policies in real time.

To learn more, register for Black Hat USA 2017 and visit IBM Security at Booth #616 to see a demo of AppSec on Cloud.

Download the E-Guide: Five Steps to Achieve Risk-based Application Security Management

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today