Innovation and growth in software development have sparked a number of new approaches. Agile, DevOps and many more methods have become the new norm for developing software. As the field of programming becomes broader, the importance developers attribute to software testing varies strongly among different kinds of software development activities. Although recent events have proven that application security testing needs to be an essential part of software development, it is often still overlooked, allowing bugs to stay undetected and leaving companies exposed to cyberattacks. The fact that a lot of companies are still negligent of the importance of security testing is alarming - especially with the top 606 bugs single-handedly causing a USD 1.7 trillion financial loss!
To bring some awareness to the topic of application security (AppSec), we would like to provide you with an overview of the latest practices and methods.
Currently, the impact of AppSec on the quality and long-term costs of an application is widely underestimated in many companies. Compared to hardware errors, software bugs account for 3 times the amount of downtime costs. However, simply investing in testing methods does not eliminate this problem completely. Although it is difficult to completely rule out bugs in the software development lifecycle (SDLC), investing in effective testing methods can significantly reduce the amount of bugs that make it to the later stages of an application and thus improve its quality. Considering the Rule of Ten, it is important to implement such measures early in order to prevent high follow-up costs. So if you want to ensure long-term quality in your application, you better get on with testing early.
Over the past years several kinds of SDLC-models have been explored. The most recent model "DevSecOps" incorporates an overall security aspect to ensure that testing is emphasized throughout the different stages. To make testing possible within the different stages, most software providers use a combination of several testing approaches (SAST, DAST, IAST...). Finding the right solution can be a challenge since every approach has different advantages and disadvantages and none of them can warrant full security. Our customers regularly ask us to share our insights about the following questions:
Therefore, we at Code Intelligence have decided to launch the "Application Security Testing Report 2020". This year's version covers the following topics:
Curious how Application Security Testing is looking like in 2020?