The importance of software application security testing

Application Security Testing: a duty of best practice to protect customer data

Document Logistix invests in continuous security testing to detect potential system vulnerabilities, to review code, to identify logical errors, and to help developers’ maintain high standards.  

Applications form the backbone of many businesses today. Whereas previously attention was placed on securing organisations' network parameters, today attackers focus on the application level (according to Verizon).

Ignore the security standards of your software at your peril

As technology ingrains itself into people’s lives and becomes integral to most businesses, the threat increases of being hacked for personal information or company data.

Cyber security is a major concern for individuals and businesses who are trusted to store data securely, be it customer names and contact details, sensitive financial information, or trade secrets.

It is critical that enterprises employ rigorous security testing for their applications, websites and digital product that receive or store important data from customers, clients and partners. 

What software security testing is effective?

In the distant past, businesses and technology vendors could treat security testing as a singular event, at the end of a project, at the time of a significant version release, or in periodic penetration tests.

Tim Cowell, CTO, says, “At Document Logistix we started to take security very seriously, twenty years ago, in the early days of data access via the internet, when one of our innovative customers wanted to share information with its customers. The potential for mischief immediately expanded far beyond historical in-house vulnerabilities and risks.

A few of our customers carry out penetration tests, either annually or when we release a major upgrade. But a penetration test only provides a snapshot at one point in time.

I looked for a continuous way to check the security of Document Logistix products, so that we can provide concrete evidence to our customers that we take every precaution to protect them. I also wanted third party, objective, expert validation of our work.

That’s why I selected WhiteHat Security. WhiteHat appeared in the right segment of the Gartner Quadrant and the experience and knowledge of their team impressed me. WhiteHat reviews our code every day, overnight in fact, so that there is a report available each morning, green-lighting our work or flagging any potential issues.”

Security as Developer CPD

Document Logistix has taken further advantage of WhiteHat services to put its developers through security certification programmes. Document Logistix is in the vanguard of software vendors that invest in training software developers in security best practice, so that developers understand potential security vulnerabilities at a deeper level than they would learn on typical programming courses.

Good application security is an invisible,
under-estimated asset

At User Groups, Tim Cowell tells audiences that it is difficult to demonstrate one of Document Logistix’ products’ significant strengths, their security.

Most software buyers are naturally interested in functionality. In demos and pitches, the question “is it safe” is rarely asked by potential users.

However, IT and Risk Management Officers are rightly asking about safety in light of recent high profile security breaches and allegations of wide-scale data abuse.

Tim Cowell says, “I want Document Logistix’ investment in the security of its products – our best measures – to be demonstrable. The WhiteHat trust mark helps us to convey our commitment.”

WhiteHat Security Reports add industry context to vulnerability issues

Extracts from WhiteHat Security Reports indicate many industry sectors are vulnerable to application security breaches for significant amounts of time.

Despite growing security awareness, applications continue to remain vulnerable across all industries.

Application vulnerabilities continue to be a significant problem; however there has been marginal improvement across the board. In 2015, web applications analysed had an average of four vulnerabilities. That number dropped to three vulnerabilities in 2016. While this represents a 25 percent improvement year-over-year, most applications have three or more vulnerabilities, with almost half of them being “critical”. These errors could result in data loss, theft or denial of service attacks if not properly remediated.

As Figure 1 indicates, the service industry suffers the highest number of vulnerabilities, both critical and non-critical, followed by the transportation sector. Among regulated industries, Retail has one of the highest serious vulnerability ratios at 33 percent. By comparison, Finance and Healthcare each have less than 28 percent “serious” vulnerabilities (the combination of “critical” and “high risk” classifications). These better numbers may reflect an increased level of investment in cybersecurity by those two industries. On the other hand, even with PCI compliance imposing a regulatory mandate for better application security, the Retail industry continues to be plagued with insecure software.

Figure 1. vulnerability profile by industry – DAST

Data breaches can cost lives

Data is the life blood of today’s business world. If it is compromised or misused the consequences are far reaching.

Tim Cowell observes, “Some of our customers hold hugely sensitive data - government information, defence information, pharmaceutical data – which, if compromised, could have serious consequences. And the breach of even ‘standard’ data could be costly for our ‘regular’ business customers, in hard currency and in reputational damage.

Document Logistix recognises its obligation to ensure that the security of its products meet today’s risk challenges, so we invest in continuous review.”

Security: what else can an application vendor do?

Is security a passive function? The answer should be “no.”

Tim Cowell wants to take the lead on product deployment and make stronger recommendations to customers about security housekeeping and management, even at basic levels, such as password strength and password sharing.

“Our products provide comprehensive audit trails on system access and user activity. There are relatively simple things we can do to advise customers on ways to do more to help themselves, and to help them to preserve the embedded security of features that they have purchased from Document Logistix.

It’s just one of those things that people do not give proper attention to until after an event, so it’s our job to help them to keep security ‘front of mind’.”