Let’s talk about using application security tools? How important is this and how can it solve your AppSec development problems? To bring you these tips, we have spoken to our CEO, Wagner Elias, who is also an AppSec expert to talk about it.
The first observation we need to make is about this doubt between using tools or not and how much, in fact, they can help and play a significant role when testing the security of an application. So, come on: yes, tools are important, what we can’t do is transfer all security responsibility to one single tool. We talk more about this subject in this post, be sure to check it out.
Buying a SAST tool, from whatever manufacturer or regardless of the quality of it, will not solve all your AppSec problems and ensure that your application is truly secure. The problems in AppSec are complex and involve a very important key: change of culture and training of your development team.
But then, what is the importance of AppSec tools?
Tools such as SAST, DAST, IAST, SCA, among others, are intended to help skilled professionals to scale and perform repetitive tasks. And what would those tasks be?
A human validating a RegEx to see if it is vulnerable to a denial-of-service attack on a RegEx is less efficient than a Script, a tool that will run it millions of times in the same way. Extending this tool’s capability, it can also identify code patterns, vulnerability patterns that are repeatable and enable you to scale.
A tool will help you build an AppSec program, where you have a professional doing activities that are critical and require human analysis, and on the other hand, using the tool intelligently: gaining scale.
You can also use your integrations with CI/CD processes to run these automated analyses, use learning from these tools to empower teams, have coverage of everything you do during the development process, and more.
Another very common case where tools are important, (speaking of SAST specifically) is when we talk about manual Code Review done by humans, it tends to be more effective, but it will take longer to run than an automated tool, and will require a highly qualified professional, consequently your cost will be higher. In this case, we can work with prioritizations, for example: critical applications require human analysis with tools, and less critical applications simply allow the use of tools to gain coverage.
What needs to be clear is that tools are important, but within an entire AppSec program, they can never be used as the sole and exclusive solution to implement security in development teams.