As attacks become more financially motivated and as
organisations get better at securing their network, desktop and
server infrastructures, there has been a shift in attacks to the
application level,writes Joseph Feiman, research
vice-president and fellow atGartner.
To address those new risks, several technology markets for
application security have emerged:
Static application security testing (SAST) is set of
technologies designed to analyse application source code, byte
code, or binaries for coding and design conditions that are
indicative of security vulnerabilities. Much like a compiler, SAST
tools analyse applications line by line, following information
flows and looking for conditions that indicate potential security
vulnerabilities. SAST tools are used to analyse applications in a
non-runtime state.
Dynamic application security testing (DAST) technologies
are designed to detect conditions indicative of a security
vulnerability in an application in its running state. Most DAST
solutions test only web-enabled applications; however, some
solutions are designed specifically for protocol and data
malformation.
The best way to ensure that applications bought today are not
threats tomorrow is to proactively remove vulnerabilities before
applications are placed into production, not after. Organisations
should require all providers of internally and externally developed
applications to provide evidence of security testing during the
development of the application, ideally using a combination of SAST
and DAST tools.
Data masking is a set of techniques to prevent the abuse
of sensitive data by hiding it from users. Potential abusers are
mainly users of test databases (programmers, testers and database
administrators). Adopting data masking will help organisations
raise the level of security and privacy assurance against
(especially!) insiders' abuses and it will make them compliant with
the security and privacy standards recommended by
regulating/auditing organisations.
Application hardening and shielding is a set of
technologies used to add security functionality within applications
specifically for the detection and prevention of application-level
intrusions. At their most basic level, the technologies include
obfuscation technologies to protect the application code against
reverse-engineering intellectual property embedded in software.
More-advanced capabilities inject security protection directly into
the application without requiring developers to modify the source
code. This is a still adolescent, slowly maturing market, worth
consideration in the long-term planning.
Read more expert advice from the Computer Weekly Security Think
Tank >>