Application Security Blog | True Positives

Modern AppSec Means Doing More with Less

Written by Brian Pavicic | Oct 3, 2022 11:17:00 PM

Building software and constantly keeping it secure is a weighty task. The Wall Street Journal reports that government officials in the US and elsewhere are getting impatient with lackluster corporate cybersecurity and the many breaches it allows. In fact, they’ve declared that cybersecurity investments are no longer optional.

Needless to say, the pressure’s on.

 

Why Security is More Important Than Ever

Between wars, lingering supply chain issues, inflation, and a looming recession, the global economy is in for more disruption and more hacking—we all need to step up our security, even with fewer resources. Doing more with less is nothing new to application security veterans, but if you’re revamping your security posture in a hurry, you’re in for a rough ride. Especially if you’re with a startup or small to mid-sized organization.

 

Technology vs. Talent

Many rely on outside consultants to perform software security audits, but these come with many drawbacks like cost, disruption, delay, and lack of worthwhile results. An individual or handful of AppSec experts can’t efficiently find every bug, and applications are getting more complex all the time. Working on their own, it will be incredibly expensive for them to actually help you meet compliance and keep your data and users safe—and that’s without taking into account that the best of them are about as hard to find these days as FTE AppSec pros.

Fortunately, technology solutions have advanced in recent years, helping you amplify AppSec strategies with automation, and isolate the few areas of your code where the human touch is needed.

These include things like:

  • Penetration testing in the attack surface that tools can’t reach
  • Assessing the security of business logic
  • Both

 

Is DAST a Reliable Tool?

One of the more common automated AppSec technologies deployed is Dynamic Application Security Testing (DAST). Despite their prevalence, the vast majority of DAST tools have not kept up with the rapid evolution of development technologies. The result? Critical gaps in their reliability.

But not all DAST are made equal. In particular, our team of AppSec industry veterans (including security leaders from Microsoft) has recognized both Rapid7 and Invicti as uniquely able to assess large chunks of tool-accessible threat surfaces. With AppSec tools like these on your side, you can devote just a small amount of resources to manual inspection in areas where tools can’t reach.

Plus, both of these tools help DevSecOps teams with workflow, reporting, and most importantly, remediation. Note that these tools do require application security experts to set up, tune, run, and analyze the results.

 

Building Your Application Security Strategy

With cybersecurity threats on the rise, government watchdogs amping up compliance talk, and AppSec budgets that aren’t growing, you need to automate what you can while bringing in AppSec talent to validate the most critical parts. Basically, better testing = better security.

If you are looking for a stronger AppSec strategy and the tech to back it up, our team at True Positives is one option. In addition to our productive partnerships with the DAST toolmakers mentioned above and extended below, we also offer focused manual testing and hybrid strategies with automation.

We can even start with free advice, and hook you up with the right tools at no additional cost compared to going directly to the toolmaker - for a limited time we are offering a free 1 on 1 AppSec Consultation with our experts (plus a free DAST scan).