Resources
Resources

How to source the right tools to scale an AppSec programme

  • Share on Twitter
  • Share on LinkedIn
  • Share on Instagram

Everyone’s development is different, it stands to reason everyone’s perfect security toolkit will also be different. But finding the right tools to suit your project, and making the most out of those tools shouldn’t have to be a headache. 

In the field of application security, there are literally thousands of security tools to choose from that may help the development, security and longevity of your projects. But, as you might imagine, there are also thousands of tools out there that will do nothing to help you on your journey—and it’s not always easy to work out one from the other.  

Choosing which to use and how to use them is a minefield (though it shouldn’t be), even for those with the right training and know-how. Trust us—we’ve been there.

Luckily, through our extensive experience in the field of DevSecOps and scaling application security, we have built a quick and easy method to work out what you need. 

In this blog, we’ll explore how to source and select the right tools for your AppSec programme. Let’s begin.

Watch out for the cost of inaccuracy of your tools

Imagine you are tasked with building a house. You have hundreds of tools at your disposal, but you don’t have the longstanding knowledge to know your Lenker rod from your bull float. And why should you, unless you’re a part-time builder? This kind of situation is frequently mirrored in the world of DevSecOps. Teams are expected to know how to source the right security tools—even if their background isn’t in security.  

When prepping the foundations of your house, you need to know where to dig. There is no point planning some grandiose build on unsuitable ground. Similarly, there’s no point using a security tool that doesn’t check for the controls you’re worried about, or that’s checking a different language, framework and cloud environment from the one your team is using. The toolkit needed by a FinTech authentication C# project on IIS running in Azure will need a different toolkit from an internal Python microservices project running in containers on AWS.

In short, there is no point in paying for a tool or spending time running a tool, that isn’t doing the right job. It’s costly—both in time and money.

watch out for tools that give you a false sense of security

But it’s not just time and money that you stand to lose if you pick the wrong tools. 

Arguably worse than those outcomes is being left with a false sense of security. If you have the wrong tools in place, they may be returning results to you that show no issues when you actually have faults that need to be fixed. Research by Checkmarx  has found that the biggest challenges for software developers are a lack of correlated risk data (with 42% citing this as an issue of concern) and a high number of false positives (41%). 

Depending on the scale of your business and the kind of data you’re dealing with, this can be detrimental to a company. For example, an inaccurate reading might not cause much disruption if it’s monitoring the contents of the employee fridge...but employee personal data, that’s another story. One you’ll want to be accurate. 

how to source the right tools for the job

So, how do you source the right tools for your project?

To begin with, it’s helpful to look at tools in terms of release cycle areas, so you can determine exactly where application security tools will have an impact at a pipeline level. By understanding these categories, you can narrow down what you’re looking for:

  • SAST: These are tools that check source code or binary to find flaws or vulnerabilities like SQL or Command injections
  • IaC: A slightly newer set, these tools test your Terraform, Cloud Formation, dockerfiles and such to see if there are any problems with how the code is used
  • SCA: These tools check third party libraries or dependencies you’re using for known problems and any necessary upgrades
  • Containers: Tools aimed at locating and reporting on flaws within your images 
  • DAST: Tools that send traffic to running systems to find responses and point to any security flaws
  • IAST: These act like a WAF and a SAST together to add a layer inside your programs that can spot and relay flaws
  • Cloud and infrastructure: Tools that check for flaws like if your S3 buckets are lying open, what your IAM looks like from an infrastructure point of view, what systems you have running, and if any patches are needed

It’s also important to note that many security programs have to combine different aspects of each tool category to build up the required level of coverage for daily releases. And with things moving at such a speed, this cannot be a manual process. It needs automation

Something we’re working on here at Uleska is building template tool groups for similar businesses. For example, if you are an FMCG business, chances are that starting with a toolkit used by another FMCG company will save you work. Instead of building your own from scratch, you can simply tweak a template toolkit that is widely used in your sector. Yet another way to alleviate some of that admin work!

what kind of tools can you afford?

When it comes to classifying application tools further, we can largely boil these down to three overarching categories: Commercial, Open Source and Custom. 

Each has different benefits and drawbacks: 

  • Commercial tools cover a wide range of security controls and are usually easier to use, but they come with a price tag that might be prohibitive for smaller outfits, or for use across all projects in larger companies
  • Open Source tools from the likes of OWASP and Kali Linux are free but generally come with less functionality and reporting abilities
  • Custom tools are generally developed in-house and provide a level of niche coverage specific to business logic or product authorisation that off-the-shelf tools simply can’t. Still, again, they are restrictive in false-positive functionalities and recommendations and are hard to automate into an AppSec program 

Determining which is right for your organisation combines internal aspects like culture, technical fit, external considerations like regulations and what budget is available to you.

Every toolkit will be different

At the end of the day, everyone’s perfect toolkit will be different. But finding the right tools to suit your project, and making the most out of those tools shouldn’t have to be a headache. 

At Uleska, our platform is built to do the hard work for you and makes scaling your application simple, seamless and secure. And did we mention you can sign up for free? 

Should you want a bit more information about the right toolkit for you, download our brand-new guide: The DevSecOps Toolkit, which provides comprehensive information on how to scale your application security.

The DevSecOps Toolkit - A guide to scaling AppSec testing

Subscribe to the Uleska blog

You may unsubscribe at any time using the unsubscribe link in the newsletter.

Popular Articles
Visit the Blog
DevSecOps

DevSecOps tool examples that will alleviate your workload

Nowhere is this more apparent than in DevSecOps where developers and releases outnumber security experts by thousands to one. It’s simply not...

DevSecOps

What is CI/CD? A Complete Guide to CI/CD

Software development cycles have changed immensely in the last ten years. New practices and design philosophies are being tried every day. One of...

Security

What is Penetration Testing (Pen Testing)?

Penetration testing (also known as pen testing) is the process of checking if your infrastructure and applications are robust enough to protect...

Tools

What is Dynamic Application Security Testing (DAST)?

DAST, meaning Dynamic Application Security Testing, is a form of black-box security testing. It simulates external attacks on a live application,...

DevSecOps

Ultimate Guide to DevSecOps

What is DevSecOps?  DevSecOps meaning (Development, Security, and Operations) primarily aims to automate security in each part of the software...

Company News, Security

Uleska and Log4Shell

Summary TL;DR: If you are a cloud customer of Uleska, you are not vulnerable to log4shell. If you are an on-premise customer of Uleska and are using...

Tools

The Top Application Security Tools in 2021

In modern businesses, applications have assumed a pivotal role. And while applications help with operational processes, the majority of cyber-attacks...

Tools

The Ultimate Guide to Application Security Tools

With the emergence of new software security threats, businesses need robust, flexible and affordable methods to ensure their applications are...

Tools

Introducing the DevSecOps Toolkit: A guide to scaling an AppSec programme

Imagine you’ve been asked to build a house from scratch. You don’t have any tools. You don’t have any experience. In fact, all you have is an empty...

Tools

What is Static Application Security Testing (SAST) and how does it work?

What is SAST? Static Application Security Testing (SAST), or static analysis, is a method of testing and analysing source code. This method allows...

Tools, Featured

Choosing the Best AppSec Tools: Advice from Experienced Engineers

In our latest webinar Gary Robinson and Martin Hewitt from Uleska gave us a fascinating and comprehensive look into how experienced security teams...

Managing Risk

How to Use Risk Based Security Testing [With Video]

Last week we discussed how using risk-based decisions can help speed up pipelines. You can watch the webinar on demand and read a summary of the...

DevSecOps

Can DevSecOps Tools Open Security Testing To Everyone?

At Uleska, we focus on moving security testing away from experts running manual tests and move it to automating security checks into existing...

Company News

Start your DevSecOps journey with the Uleska free plan

Companies are developing and shipping software faster than ever before. The very nature of DevOps means that developers can work in an always-on...

DevSecOps

DevSecOps Challenge #10: Communication between teams

Adding automation to one part of a process can then flood another part of a process. With DevSecOps, we’re allowing more security tools to find more...