What is Application Security?

As validated by multiple studies, the majority of successful breaches target exploitable vulnerabilities residing in the application layer, indicating the need for enterprise IT departments to be extra vigilant about application security. To further compound the problem, the number and complexity of applications is growing. Ten years ago, the software security challenge was about protecting desktop applications and static websites that were fairly innocuous and easy to scope and protect. Now, the software supply chain is much more complicated considering the outsourced development, the number of legacy applications, coupled with in-house development that takes advantage of 3rd party, open source and commercial, off-the-shelf software components.

Organizations need application security solutions that cover all of their applications, from those used internally to popular external apps used on customers’ mobile phones. These solutions must cover the entire development stage and offer testing after an application is put into use to monitor for potential problems. Application security solutions must be capable of testing web applications for potential and exploitable vulnerabilities, have the ability to analyze code, help manage the security and development management processes by coordinating efforts and enabling collaboration between the various stakeholders. Solutions also must offer application security testing that is easy to use and deploy.

What is SAST?

Static Application Security Testing (SAST)(SAST) scans the application source files, accurately identifies the root cause, and helps remediate the underlying security flaws.

What is DAST?

Dynamic Application Security Testing (DAST) simulates controlled attacks on a running web application or service to identify exploitable vulnerabilities in a running environment.

What is SCA?

Software Composition Analysis (SCA) is an automated process to help identify and track the open-source components used in applications. More robust SCA tools can analyze all open-source components for security risk, license compliance, and code quality.

Application security solutions consist of the cybersecurity software (the tools) and the practices that run the process to secure applications.

On-Premise

Application security testing solutions can be run on-premise (in-house), operated and maintained by in-house teams. This approach requires organizations to provide the infrastructure and personnel, and to acquire application security solutions for their usage. On-premise assures organizations that their application data is not shared with third parties and does not leave the premises.

SaaS

Application security as a SaaS offering provides cloud-based solutions with a web-based user interface, allowing the customer to configure, perform, and manage application security. This option still requires organizations to provide the personnel and expertise required to run the various application security testing tools, but without the need to provide infrastructure, maintenance, updates, etc..

Managed Service

Application security can also be a managed service where the customer consumes services provided as a turnkey solution by the application security provider. This approach doesn’t require any of the prerequisites of the on-premise approach, but it does require relying partially or completely on the SaaS vendor and in most cases, allow the application data to be shared with the vendor. Application security as a managed service provides an easy way to get started and can offer scalability and speed. Hybrid implementations (using on-premise, SaaS, and managed services together in different projects and practices) aim to provide the best of both worlds by providing flexibility, scalability, and cost optimization.

OpenText Application Security solutions solutions offer application security testing and management on-premise, hosted, and as-a-service to help companies secure their software applications—including legacy, mobile, third-party, and open-source applications.

Fortify offerings include static code analysis, dynamic application security testing, software composition analysis (SCA), and interactive application security testing tools to provide code security for your Web Apps, APIs, Mobile Apps, Infrastructure-as-Code, Containers, and Software Supply Chain.

The solutions include:

Fortify Static Code Analyzer - Static Application Security Testing (SAST) - Identifies and pinpoints security vulnerabilities in source code early in the software development lifecycle.

Fortify WebInspect - Dynamic application security testing (DAST) – Simulates real-world security attacks on a running application to provide comprehensive analysis of complex web applications and services.

Interactive application security testing (IAST) – Integration of our dynamic testing and runtime analysis to identify more vulnerabilities by expanding coverage of the attack surface and exposing exploits better than dynamic testing alone.

Fortify on Demand – Security as a Service - A simple, easy and quick way to accurately test applications without having to install or manage software, or add additional resources.

Mobile Security – Mobile testing methodology that tests all three tiers including the client, network, and server.

Fortify Insight – Aggregate and analyze numerous sources of previously siloed data, visualized in an enterprise dashboard for actionable insights.

Software Security Assurance – Centralized management repository provides visibility that helps resolve security vulnerabilities.

Fortify Software Security Center - Centralized management repository providing visibility to the entire application security testing program. It prioritizes, manages and track security testing activities and provides an accurate picture of software security risk across your enterprise.