Are you integrating application security testing into development? Analysts say you should

Web application vulnerabilities are now the most common avenue for external attacks that result in a breach. In its 2021 report on the state of application security, Forrester recommends building security testing into the development process to keep up with the threat environment – but is your organization ready?

Are you integrating application security testing into development? Analysts say you should

Web applications and APIs under attack

The Forrester State of Application Security 2021 report starts with a sobering statistic: according to Forrester’s own security survey, web application vulnerabilities are now the most common path to external cyberattacks that lead to breaches. A full 39% of respondents across IT security and operations roles indicated that a web application exploit was involved when their company was breached. This shows that web applications are high-value targets with a growing attack surface.

Other web security trends identified in the report confirm this. For example, 99% of all web applications now include at least some open-source components, potentially opening them up to any vulnerabilities in these dependencies. Even though open-source code makes up 70% of the average web application, over half of organizations take more than a week to fix known vulnerabilities in this codebase. The proliferation of web APIs also contributes to the growing attack surface, with 73% of organizations exposing at least a quarter of their applications to the Internet or third-party services via APIs.

Organizations shifting left to improve application security

The good news is that security professionals and executives are now aware of the importance of web application security. 28% of Forrester’s respondents listed improving application security capabilities as a top IT security priority for their next 12 months – more than any other area. The trend of shifting security left continues, with organizations seeing the value that early remediation brings, but approaches and actual adoption rates vary.

Overall, roughly 40% of organizations are planning to implement some form of security testing in the development phase, with results ranging from 38% for interactive testing (IAST) to 43% for dynamic testing (DAST). A similar trend can be seen in security tool choices for the testing phase, with DAST again being the technology most commonly planned for adoption (36% of respondents). These plans fit in with the need to cover the growing attack surface of web applications across multiple components and dependencies, as dynamic testing is well-suited to this task.

Deep integration with development tools is the way

With application security testing finally on the table as an indispensable part of both development and IT security, the focus is shifting to driving accuracy, efficiency, and adoption. The Forrester report concludes that integration on all levels is the key to effective AppSec. On the tooling level, this means deeply integrating modern security solutions with the automation and collaboration tools that developers already use, whether through out-of-the-box integrations or increasingly comprehensive APIs. Accuracy and automation are crucial to ensure that developers get actionable issues directly into their inboxes, complete with remediation guidance.

At a higher level, organizations should include application security testing considerations in all their development planning. This includes future-proofing AppSec tools and processes by proactively preparing them for the likely technologies and workflows of the coming year. All these integration efforts also need to continue at the team level to bring security closer to developers and make it a routine part of the application development process.

Building DAST into your development pipeline

In many ways, the State of Application Security 2021 report echoes our own research and feedback from our customers. From the very beginning, Invicti has been developed with the aim of delivering accurate and scalable vulnerability scanning results that can be confidently automated. We have battled long-standing misconceptions around the accuracy and usefulness of DAST tools to show that, when done right, modern DAST is a must-have in any application security toolbox.

Invicti provides a wide array of integrations with industry-standard development and collaboration tools to make it easier to build DAST into the software development lifecycle (SDLC). We also have an extensive internal API that allows customers to integrate and customize the product to suit the way they work. Just like Forrester, we firmly believe that deep integration is the right way to go to ensure web application security – and get maximum value from your DAST investment.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.