As attacks become more financially motivated and as organisations get better at securing their network, desktop and server infrastructures, there has been a shift in attacks to the application level, writes Joseph Feiman, research vice-president and fellow at Gartner.
To address those new risks, several technology markets for application security have emerged:
Static application security testing (SAST) is set of technologies designed to analyse application source code, byte code, or binaries for coding and design conditions that are indicative of security vulnerabilities. Much like a compiler, SAST tools analyse applications line by line, following information flows and looking for conditions that indicate potential security vulnerabilities. SAST tools are used to analyse applications in a non-runtime state.
Dynamic application security testing (DAST) technologies are designed to detect conditions indicative of a security vulnerability in an application in its running state. Most DAST solutions test only web-enabled applications; however, some solutions are designed specifically for protocol and data malformation.
The best way to ensure that applications bought today are not threats tomorrow is to proactively remove vulnerabilities before applications are placed into production, not after. Organisations should require all providers of internally and externally developed applications to provide evidence of security testing during the development of the application, ideally using a combination of SAST and DAST tools.
Data masking is a set of techniques to prevent the abuse of sensitive data by hiding it from users. Potential abusers are mainly users of test databases (programmers, testers and database administrators). Adopting data masking will help organisations raise the level of security and privacy assurance against (especially!) insiders' abuses and it will make them compliant with the security and privacy standards recommended by regulating/auditing organisations.
Application hardening and shielding is a set of technologies used to add security functionality within applications specifically for the detection and prevention of application-level intrusions. At their most basic level, the technologies include obfuscation technologies to protect the application code against reverse-engineering intellectual property embedded in software. More-advanced capabilities inject security protection directly into the application without requiring developers to modify the source code. This is a still adolescent, slowly maturing market, worth consideration in the long-term planning.