In the 2000 movie “What Women Want,” fictional Chicago advertising executive Nick Marshall (played by Mel Gibson) slips and falls into the bathtub while holding a blow-dryer, nearly electrocuting himself. After the experience, he magically realizes that he can read the minds of the ladies in his life.

My recent experience at the Black Hat conference in Las Vegas made me think, “If we could read the minds of security professionals, what capabilities would they incorporate into the optimal application security testing solution?” Fortunately, I didn’t need to pull out a hair dryer and hop into the bathtub to conduct my analysis. Rather, I collected detailed customer feedback at IBM’s booth, which I’m pleased to share with you below. For additional validation, I consulted with my colleague Alexei Pivkine, IBM’s Global Team Lead for Application Security Technical Sales.

Four Core Application Security Testing Requirements

Although the technology behind application security testing can be quite complex, customers’ requirements are actually pretty straightforward. They want:

  • Comprehensive audit functionality and the generation of accurate testing results;
  • Convenient scanning capabilities with immediate insight into the areas of highest application risk;
  • Consistent innovation by the application security provider, with the ability to support multiple testing options;
  • Positive customer references.

You’ll find additional details on each of these requirements appears below.

1. “I need plenty of audit features and accurate testing results.”

Although application security marketing activities frequently focus on fast-evolving mobile- and cloud-based technologies, customers’ core requirements are actually much more basic. They include the availability of comprehensive audit features and the need for high testing accuracy.

Specifically, organizations are looking for application security testing solutions that help them:

  • Address the largest number of attack vectors;
  • Incorporate comprehensive audit features;
  • Conduct tests that result in low false-positive and false-negative rates.

How can you find solutions that meet these stringent requirements? The best place to start is by consulting a third-party blog such as Security Tools Benchmarking, which recaps the number of audit features and provides accuracy metrics for major commercial and open-source testing technology providers.

2. “Scanning needs to be convenient for my team, and they need immediate access to results.”

With the current proliferation of application security testing technologies, testing has become more specialized. But as a result, customers are looking for solutions that are easy to use and don’t require significant advance training. For example, an application security on cloud platform facilitates convenient application security testing without requiring specialized user training.

3. “Our application security testing provider needs to innovate and support multiple testing options.”

Based on customer feedback, the following technical requirements are of most significant interest to application security professionals:

  • The ability to analyze currently deployed technologies such as JavaScript, Flash and REST APIs;
  • The ability to properly log into the testing site and stay in-session in order to identify issues that matter most;
  • The capability to perform more than just dynamic application security testing (DAST). For example, the solution could support Interactive Application Security Testing (Glassbox IAST technology), Static Application Security Testing (SAST) and hybrid analysis for client-side JavaScript.

4. “I need access to positive customer references.”

Although they’re hard to come by in the security market because of confidentiality requirements, potential clients are looking for positive customer references from other organizations within their industry. Some of our key client testimonials appear below:

Turkish Retail Giant
In this video, you’ll learn how a large Turkish retailer leverages IBM’s application security testing and security information and event management (SIEM) solutions to support its rapid growth, and to protect its business and customer base from evolving security threats.

Travel and Expense Software Provider
In this short video, you’ll find out how the company utilizes IBM Security AppScan to conduct application security testing for source code and production code to protect clients’ privileged travel and expense reporting information from potential attackers. At the end, you’ll learn why the company’s contact wanted to give his IBM service contact “a big bear hug.”

Major Insurance Provider
This video explains how a high-profile North American insurance provider leverages IBM’s data security and application security testing solutions to continuously monitor and audit access across databases, warehouses and big data environments, and to enforce its security policies in real time.

To learn more, register for Black Hat USA 2017 and visit IBM Security at Booth #616 to see a demo of AppSec on Cloud.

Download the E-Guide: Five Steps to Achieve Risk-based Application Security Management

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…