Top 8 Application Security Testing (AST)

SonarQubeVeracodeGitLabGitGuardian Internal MonitoringCheckmarxPortSwigger Burp Suite ProfessionalMicro Focus Fortify on DemandCoverity
  1. leader badge
    Improve the code coverage and evaluates the technical steps and percentage of code being resolved. All the features of the solution are quite good.
  2. leader badge
    To me, the principal feature is the CLI (command-line interface) because I put together a lot of implementations using it. Another important aspect is the low false-positive rate because the solution is very configurable. It is as low as 1 percent and that is a huge difference compared to competitors.
  3. Buyer's Guide
    Application Security Testing (AST)
    May 2023
    Find out what your peers are saying about Sonar, Veracode, GitLab and others in Application Security Testing (AST). Updated: May 2023.
    708,544 professionals have used our research since 2012.
  4. leader badge
    CI/CD and GitLab scanning are the most valuable features. GitLab is a solution for source code management, container registry, pipelines, testing, and deployment.
  5. Presently, we find the pre-commit hooks more useful.It enables us to identify leaks that happened in the past and remediate current leaks as they happen in near real-time. When I say "near real-time," I mean within minutes. These are industry-leading remediation timelines for credential leaks. Previously, it might have taken companies years to get credentials detected or remediated. We can do it in minutes.
  6. The only thing I like is that Checkmarx does not need to compile. The most valuable features of Checkmarx are the SCA module and the code-checking module. Additionally, the solutions are explanatory and helpful.
  7. I am impressed with the tool's detailed analysis for penetration testing. AppScan can give only visibility, but it can't do the PT part. But the PortSwigger Burp Application can do both, and it gives much more visibility on the PT rating.
  8. report
    Use our free recommendation engine to learn which Application Security Testing (AST) solutions are best for your needs.
    708,544 professionals have used our research since 2012.
  9. Provides good depth of scanning and we get good results. We have the option to test applications with or without credentials.
  10. It is a scalable solution.The most valuable feature of Coverity is its software security feature called the Checker. If you share some vulnerability or weakness then the software can find any potential security bug or defect. The code integration tool enables some secure coding standards and implements some Checkers for Live Duo. So we can enable secure coding and Azure in this tool. So in our software, we can make sure our software combines some industry supervised data.

Advice From The Community

Read answers to top Application Security Testing (AST) questions. 708,544 professionals have gotten help from our community of experts.
Evgeny Belenky - PeerSpot reviewer
Evgeny Belenky
PeerSpot (formerly IT Central Station)
Hi peers, I believe many of you have already heard of the recent Log4j/Log4Shell vulnerability that allows attackers to perform remote code execution (RCE). What does it mean for an organization? How can you check you're vulnerable and mitigate/patch it now, if at all? Lastly, what impact do...
Read More »
ITSecuri7cfd - PeerSpot reviewer
ITSecuri7cfdYet another chance to test our incident response procedures.  So far I would… more »
5 Answers
Charles Race - PeerSpot reviewer
Charles Race
Manager of Data Processing at New York State Insurance Fund

I'm choosing an Application Security Testing platform.

My use cases are as follows:

  • SAST
  • DAST
  • Component Scanning
  • Vulnerability auditing 
  • Mitigation

What product/solution would you recommend and why? 

Thomas Ryan - PeerSpot reviewer
Thomas RyanThe first thing you'd want to do is: 1. Look at your application inventory to… more »
8 Answers
Rony_Sklar - PeerSpot reviewer
Rony_Sklar
Community Manager at a tech services company with 51-200 employees

Hi,

Many companies wonder whether SAST or DAST is better for application security testing. 

What are the relative benefits of each methodology? Is it possible to make use of both?

Dan Doggendorf - PeerSpot reviewer
Dan DoggendorfSAST and  DAST are not mutually exclusive and should be used in conjunction with… more »
6 Answers
Rony_Sklar - PeerSpot reviewer
Rony_Sklar
Community Manager at a tech services company with 51-200 employees

What are the different types of tools that should be used together in DevSecOps?

What are the specific tools that you like to use when working on your DevSecOps pipeline? 

What is essential, and what is a nice-to-have? 

Rama Susarla - PeerSpot reviewer
Rama SusarlaIt depends on the budget, business and technology portfolio of the enterprise… more »
6 Answers

Application Security Testing (AST) Articles

Deena Nouril - PeerSpot reviewer
Deena Nouril
Tech Blogger
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures tha...
Read More »
Ben Arbeit - PeerSpot reviewer
Ben ArbeitThanks for this informative article.
Jairo Willian Pereira - PeerSpot reviewer
Jairo Willian PereiraOWASP is nice, but very specific and currently limited. How about trying… more »
2 Comments
Evgeny Belenky - PeerSpot reviewer
Evgeny Belenky
PeerSpot (formerly IT Central Station)
Dear professionals, Welcome back to PeerSpot's Community Spotlight! Below you can find the latest hot topics posted by your fellow PeerSpot Community members. Read articles, answer questions, and contribute to discussions that are relevant to you and your expertise. Or ask your peers for insight...
Read More »
Evgeny Belenky - PeerSpot reviewer
Evgeny Belenky@Chris Childerhose, @PraveenKambhampati, @Deena Nouril, @Shibu Babuchandran and… more »
1 Comment

Application Security Testing (AST) Topics

Why is application security important?

Application security is important because for applications that are connected to the cloud or for applications that are available over various networks, your organization is more vulnerable to security breaches and threats. To prevent these attacks, application security testing can be used to reveal weaknesses.

What are the different types of application security?

The different types of application security include:

  • Authentication is the process of software developers building procedures into an application to ensure that only authorized users gain access to it. Authentication also verifies a user’s identity.
  • Authorization can only happen after authentication. The system may verify that the user has permission to access the application by comparing the user's identification to a list of authorized users.
  • Encryption can protect sensitive data from being used by a cybercriminal. For cloud-based applications, traffic containing sensitive data that travels between the end user and the cloud can also be encrypted so that the data stays safe.
  • Logging can assist in determining who gained access to data and how they did so in the event of a security breach in an application.
What are different application security approaches?

Different approaches are used to determine different application security flaws. Some approaches are more effective at different stages of the development lifecycle.

  • Black-box security audit: For this approach, no source code is necessary. Black-box security audits are used to test an application for security flaws.
  • White-box security review or code review: This approach involves a security engineer manually inspecting the source code of an application to look for security issues. Vulnerabilities unique to the application can be discovered through understanding the application.
  • Automated tooling: Automated tooling can be used during the development or testing process.
  • Design review: Before code is created, the architecture and design of the application can be reviewed for security flaws.
  • Coordinated vulnerability platform: Many websites and software providers offer hacker-powered application security solutions through which individuals can be recognized and compensated for reporting defects.
What is application security testing?

Application security testing is part of the software development process that application developers use to ensure there are no security vulnerabilities in a new or updated version of a software application. Application security testing is performed continuously throughout the development and production phases of the software development lifecycle, helping bridge the gap between development, operations, and security.

What are application security testing tools?
  • Dynamic Application Security Testing (DAST) detects a wide variety of technical vulnerabilities and is an essential part of any application security program. It can continuously and automatically test applications in both production and pre-production environments, so your organization can get a better understanding of the true risk surface of your applications. 
  • Static Applications Security Testing (SAST) aims to remediate critical code vulnerabilities before they become security risks. It allows your organization to address high-risk issues earlier and reduce cost of AppSec remediation efforts by detecting and remediating vulnerabilities before the software is deployed. 
  • Mobile Application Security Testing (MAST) is a type of application security testing tool that focuses on finding and remediating software security vulnerabilities before applications move into production.
What are application security testing best practices?

Application security testing best practices include:

  • Educate developers on how to build applications that are secure by design.
  • Help testers identify security issues early, before software goes to production.
  • Adapt business processes to include risk analysis and use automated tools for in-depth testing and continuous monitoring.
  • Test internal interfaces, not just APIs and UIs.
  • Mobile operating systems, architecture, and development tools are significantly different from traditional web applications. Invest in more specialized training and AppSec testing tools for secure mobile app development.
  • Organizations should employ AST practices to any third-party code they use in their applications.
  • Build an effective API security strategy that includes comprehensive vulnerability scanning for web service APIs, public, private, and internal-facing APIs.
  • Practice zero-trust. Assume all third-party applications are untrusted until validated.
  • Combine DAST and SAST methodologies to achieve effective and long-term risk and cost reduction.
Application Security Testing Tools Features

When doing your research, look for application security testing tools that have the following features:

  • Ease of use: The tool should be easy to use, for beginners and advanced professionals.
  • Flexibility: The tool should be flexible enough to accommodate your needs and allow you to test all aspects of your application.
  • Functionality: A good application security testing tool should offer a wide range of functionality so that you can test every aspect of your application’s security.
  • Reporting capabilities: Reporting capabilities features will allow you to generate comprehensive reports detailing the results of your conducted security tests.
  • Price: As with any purchase, the application security testing tool you choose should be affordable without sacrificing quality or features.
Application Security Testing Tools Benefits

Below are several reasons businesses should invest in application security testing tools:

  • Boosts customer satisfaction: Application security testing tools help your organization keep customer data secure and, in turn, build customer confidence.
  • Protection from external attacks and leaks: Application security testing tools protect sensitive data from being exposed by showing all the errors during the testing process.
  • Cost savings: Following security testing during SDLC saves costs by highlighting the bugs very early on. When a developer is able to fix bugs sooner in the process, your organization saves both money and time.
  • Reduced risk: When QA teams use application security testing tools, end-user data remains safe. If the security of an application becomes compromised, an organization risks its reputation.
Disadvantages of Application Security Testing Tools

While application security testing tools have a lot of great features and many benefits, they also have some downsides, including:

  • The results of application security tests may vary in accuracy if not performed correctly.
  • Testing is time-consuming and requires expertise to execute properly.
  • Without appropriate resource allocation, setting up the processes may be difficult or impossible to sustain.
Buyer's Guide
Application Security Testing (AST)
May 2023
Find out what your peers are saying about Sonar, Veracode, GitLab and others in Application Security Testing (AST). Updated: May 2023.
708,544 professionals have used our research since 2012.