With application security it seems there is never a dull moment. Different facets of web security continue to evolve from the hackers and the hacks to the techniques we use to combat them. Here are some of the trends we see emerging and maturing as best practices. Let us know if you are implementing these and how its going!
Continuous Scanning – There’s a lot of buzz around the concept of continuous scanning, but in the world of application security, continuous scanning is sort of a misnomer because you don’t really want all of your applications scanned all the time and it would be an unreasonable use of hardware and bandwidth. In reality, continuous application scanning means constantly monitoring applications for changes and automatically launching a scan when the application has changed. Talk to your vendor about their ability to conduct this “continuous scanning” or site monitoring with automatic re-scans.
Continuous Integration (CI) – Many organizations are pushing development to use Continuous Integration solutions (such as Hudson or Jenkins or home grown solutions) to streamline QA efforts and to reduce time to market. Security teams are wise to find ways to plug their scanning activity into the CI to ensure that every build is security tested before it goes into production. This requires a scanner that works well in “point and shoot” mode and offers open API’s for running scans. Ask your vendor how their scanner would fit into your CI environment.
Web browser automation integration – Most enterprise testing teams already use test automation tools & scripts such as Selenium to create repeatable tests that can be executed in conjunction with nightly application builds. It only makes sense to integrate security tests into this as well so that security tests can run automatically every time the application changes. This is a great way to catch application security vulnerabilities early and often.
For more information on the key trends and best practices in application security, check out the new Application Security Buyers Guide and this blog, 5 Ways to Squeeze More Juice out of Your Application Security Program.