Today’s post let’s talk about Future of Application security testing (AST). As background information for those who are new to the topic, application security testing (AST) is a domain with a variety of approaches. For those focus on static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST), mobile application security testing (Mobile AST) and manual application security testing (MAST) to name just a few branches of it. Overall, the aim is the same, to make sure for the application security via the security testing and assessment via the automated testing script or match the findings to verify whether a specific vulnerability exists and report them.
DevSecOps or secure DevOps is been in the market for some period of time, where provide highly efficient and effective in handle entire software development lifecycle (SDLC) from the source code management (SCM) to CI/CD tool chain (for continuous innovation and continuous delivery) for the modern agile driven software development lifecycle (SDLC). The original success and proven use of the DevOps for massive time saving for the automation and seamless integration, make it possible to put AST on top of DevOps, for those who practice DevSecOps or secure DevOps become possible.
All AST vendors are under the pressure to make their product capable of performing trigger scanning via the API integration into DevOps. With the trend going on, the mass of the AST tasks will be automated, that is where the direction goes.
For the good side, enterprises save a lot of the time to let what automated scanner roles change from security testing officer to automated DevSecOps, or under the strong influence by the software developer, which result in faster software application development lifecycle (SDLC). For those application security testing officers, no one really knows how to perform value-added manual application security testing (MAST) and application penetration testing, unless the enterprise has other tasks for them to do, else, the said officer position will be at risk. For those who are really possess and know how to perform various manual application security testing and penetration testing, you no need to worry, because despite under the strong trend toward seamless integration and automation with DevSecOps, but medium to large enterprise remain needed your competency, as automated AST can not perform all the testing via script and signature matching basis. A lot of vulnerabilities required manual application security testing to discover, just like how real hackers did on a manual exploit basis.
Purely knowing how to make use of automated security testing tools to perform automated scanning and knowing about how to perform manual application security testing and knowing how to perform vulnerability validation and verification, or penetration testing are two different levels of competency. As you can expected, purely knowing how to use automated testing tool and accept whatever it report and you do not know how to manual test them, or know how to complement the limit of automated scanner, such as cover those areas can not be automated scripting and signature testing, that the value attached to the person who can perform that roles and duties. If DevSecOps automated the process, without doubt, the person who will be staying is the one who can perform MAST and pentesting. Since the coming of your enterprise is yet to be initiated, sooner or later, DevSecOps will be here to stay. Unless your enterprise does not develop its own application, yet it is unlikely do not automated it.
Most of the existing features such as a beautiful dashboard etc may become features of the past, as what matters most will be from a software development life cycle perspective kind of dashboard. Unless for some reason, AST remains isolated from the agile SDLC. It is hard for those who never expose themselves to how software developers use SCM to CI/CD to understand how the security testing is automated inside the DevSecOps, unless you go to get your hands dirty and realize the benefits of it, and why MAST and pentesting will remain in value. If you have the opportunity, as the E-SPIN existing customer, feel free to join E-SPIN various hand-on labs and workshops organized here and there to get yourself acquired the said first experience.
E-SPIN Group in the enterprise ICT solution supply, consultancy, project management, training and maintenance for corporation and government agencies did business across the region and via the channel. Feel free to contact E-SPIN for your project requirement and inquiry.
Other post you may be interest: