The complexities of security testing have become the bane of a CISO's existence—especially the swarm of tools spawned through a decade of innovation and a relentless quest for the "best of breed" in each security discipline. But a recent interview with Rob Cuddy, Solution Architect and Application Security Evangelist at HCLSoftware, casts much-needed light on this "tool sprawl" dilemma—and opens a path to a refreshing end-to-end simplicity.
Why CISOs love simplicity
To understand how attractive such simplicity could be, recall the key challenges a CISO faces—chief among them being "to come into the boardroom and justify the budget," notes Cuddy. Boards, being risk-averse by nature, want a clear plan that will quantify and contain security risks within acceptable limits. That clarity requires a comprehensive view of risk management, Cuddy argues, so as to identify key threats and the steps needed to address them.
In the real world, that means prioritizing threats and allocating budget to match those priorities. Indeed, many organizations are now rethinking their prior practice of spreading resources thinly across an abundance of targets—moving instead to focus attention strategically where it's most needed. As the various alternatives are weighed, end-to-end visibility is essential—which means end-to-end tooling is also needed to enable that unified view. (Outside the security context, value stream management is gaining popularity for similar reasons, notes Cuddy.)
IAST: Improving visibility in application security
More concretely, one way to improve visibility in application security is interactive application security testing (IAST), which serves as a monitor for security while wrapping security testing into functional testing and thus into the organization's overall view of quality.
HCL AppScan on Cloud (as well as HCL AppScan 360º) can correlate IAST results with static testing and dynamic testing in a single platform—and since these results are seen together, it's simple to compare vulnerabilities, prioritize risks, and allocate resources to fix them. What's more, code can be correlated with the related threat vector to help target the fixes.
"And that’s where we leverage IAST, so those things all start working together,” Cuddy explains. “If I’m seeing an issue in both static and interactive, that means that’s absolutely exploitable.”
Standardization and diversification in software development
Recent shifts in the software development landscape have led to both standardization and diversification—with component-based development and Agile methodology moving developers toward diversity while operations teams try to keep up. But the need for visibility, transparency, and a clear understanding of security risks still remains, says Cuddy. And people now understand that the best approach is to design for security and do security testing throughout the process, he adds—so that when teams release high-quality code, that "quality" has security baked in.
The full interview and accompanying video can be found at SDTimes.com.