Application security

What can Application Security Testing add to DevOps programs?

Coalfire Cybersecurity Team

March 13, 2020
Blog Images 2022 TF Coalfire logo grey

This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free. Please see the latest on this topic here.

The adoption of DevOps practices by organizations to shorten the standard development lifecycle has put new pressure on security teams to keep up with the pace of development within CI/CD pipelines. In order to accomplish this, security teams need to provide better security insights to developers so that fewer vulnerabilities are introduced, those that make it in are detected earlier, and they are resolved quickly.

When, in an ideal situation, application security testing is introduced to CI/CD pipelines, the testing methods should prioritize finding the most important vulnerabilities, avoid false positives and focus on the most recent code changes between builds. Once these vulnerabilities are then found, they would be reported to development teams in ways that are easy to track and resolve.

IBM AppScan Enterprise helps organizations identify the highest web application security issues using dynamic application security testing (DAST). Using IBM AppScan allows organizations to easily bring DAST testing into the standard development lifecycle (SDLC) because these high priority vulnerabilities can then be the focus on development team’s remediation efforts. With ThreadFix®, security teams can actually combine and correlate multiple DAST scan results with results from static application security testing (SAST) for a consolidated view of their applications and vulnerabilities.

When integrated together through the REST API, ThreadFix can schedule automated scans through IBM AppScan, prioritize the vulnerabilities found across scan results and easily export them to the defect tracking tools used by development teams. This provides a more comprehensive security coverage for the organization while maintaining the pace of development through the CI/CD pipeline.