IT Central Station is now PeerSpot: Here's why

Top 8 Application Security Testing (AST) Tools

VeracodeCheckmarxPortSwigger Burp Suite ProfessionalMicro Focus Fortify on DemandGitLabOWASP ZapContrast Security AssessGitGuardian Internal Monitoring
  1. leader badge
    Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM to verify that everything's going well. If we have any outstanding issues, they get serviced and addressed.
  2. leader badge
    The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera.
  3. Buyer's Guide
    Application Security Testing (AST)
    June 2022
    Find out what your peers are saying about Veracode, Checkmarx, PortSwigger and others in Application Security Testing (AST). Updated: June 2022.
    609,272 professionals have used our research since 2012.
  4. leader badge
    The most valuable feature of PortSwigger Burp Suite Professional is the advanced features, user-friendly interface, and integration with other tools.The initial setup is simple.
  5. leader badge
    The vulnerability detection and scanning are awesome features. The user interface is good.
  6. As a developer, this solution is useful as a repository holder because most of the POC projects that we have are on GitLab. I like that you can use GitLab as a double-sided solution for both DevOps and version management. It's a good product for working in these two areas, and the user interface makes it easy to understand.
  7. It updates repositories and libraries quickly. Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope.
  8. report
    Use our free recommendation engine to learn which Application Security Testing (AST) solutions are best for your needs.
    609,272 professionals have used our research since 2012.
  9. The solution is very accurate in identifying vulnerabilities. In cases where we are performing application assessment using Contrast Assess, and also using legacy application security testing tools, Contrast successfully identifies the same vulnerabilities that the other tools have identified but it also identifies significantly more. In addition, it has visibility into application components that other testing methodologies are unaware of.
  10. The secrets detection and alerting is the most important feature. We get alerted almost immediately after someone commits a secret. It has been very accurate, allowing us to jump on it right away, then figure out if we have something substantial that has been leaked or whether it is something that we don't have to worry about. This general main feature of the app is great.

Advice From The Community

Read answers to top Application Security Testing (AST) questions. 609,272 professionals have gotten help from our community of experts.
Evgeny Belenky - PeerSpot reviewer
Evgeny Belenky
PeerSpot (formerly IT Central Station)
Hi peers, I believe many of you have already heard of the recent Log4j/Log4Shell vulnerability that allows attackers to perform remote code execution (RCE). What does it mean for an organization? How can you check you're vulnerable and mitigate/patch it now, if at all? Lastly, what impact do...
Read More »
Jairo Willian Pereira - PeerSpot reviewer
Jairo Willian PereiraOne excellent opportunity for the company to test your CMDB/Inventory (at medium… more »
5 Answers
Charles Race - PeerSpot reviewer
Charles Race
Manager of Data Processing at New York State Insurance Fund

I'm choosing an Application Security Testing platform.

My use cases are as follows:

  • SAST
  • DAST
  • Component Scanning
  • Vulnerability auditing 
  • Mitigation

What product/solution would you recommend and why? 

Thomas Ryan - PeerSpot reviewer
Thomas RyanThe first thing you'd want to do is: 1. Look at your application inventory to… more »
8 Answers
Rony_Sklar - PeerSpot reviewer
Rony_Sklar
PeerSpot (formerly IT Central Station)

Hi,

Many companies wonder whether SAST or DAST is better for application security testing. 

What are the relative benefits of each methodology? Is it possible to make use of both?

Dan Doggendorf - PeerSpot reviewer
Dan DoggendorfSAST and  DAST are not mutually exclusive and should be used in conjunction with… more »
6 Answers

Application Security Testing (AST) Topics

Why is application security important?

Application security is important because for applications that are connected to the cloud or for applications that are available over various networks, your organization is more vulnerable to security breaches and threats. To prevent these attacks, application security testing can be used to reveal weaknesses.

What are the different types of application security?

The different types of application security include:

  • Authentication is the process of software developers building procedures into an application to ensure that only authorized users gain access to it. Authentication also verifies a user’s identity.
  • Authorization can only happen after authentication. The system may verify that the user has permission to access the application by comparing the user's identification to a list of authorized users.
  • Encryption can protect sensitive data from being used by a cybercriminal. For cloud-based applications, traffic containing sensitive data that travels between the end user and the cloud can also be encrypted so that the data stays safe.
  • Logging can assist in determining who gained access to data and how they did so in the event of a security breach in an application.
What are different application security approaches?

Different approaches are used to determine different application security flaws. Some approaches are more effective at different stages of the development lifecycle.

  • Black-box security audit: For this approach, no source code is necessary. Black-box security audits are used to test an application for security flaws.
  • White-box security review or code review: This approach involves a security engineer manually inspecting the source code of an application to look for security issues. Vulnerabilities unique to the application can be discovered through understanding the application.
  • Automated tooling: Automated tooling can be used during the development or testing process.
  • Design review: Before code is created, the architecture and design of the application can be reviewed for security flaws.
  • Coordinated vulnerability platform: Many websites and software providers offer hacker-powered application security solutions through which individuals can be recognized and compensated for reporting defects.
What is application security testing?

Application security testing is part of the software development process that application developers use to ensure there are no security vulnerabilities in a new or updated version of a software application. Application security testing is performed continuously throughout the development and production phases of the software development lifecycle, helping bridge the gap between development, operations, and security.

What are application security testing tools?
  • Dynamic Application Security Testing (DAST) detects a wide variety of technical vulnerabilities and is an essential part of any application security program. It can continuously and automatically test applications in both production and pre-production environments, so your organization can get a better understanding of the true risk surface of your applications. 
  • Static Applications Security Testing (SAST) aims to remediate critical code vulnerabilities before they become security risks. It allows your organization to address high-risk issues earlier and reduce cost of AppSec remediation efforts by detecting and remediating vulnerabilities before the software is deployed. 
  • Mobile Application Security Testing (MAST) is a type of application security testing tool that focuses on finding and remediating software security vulnerabilities before applications move into production.
What are application security testing best practices?

Application security testing best practices include:

  • Educate developers on how to build applications that are secure by design.
  • Help testers identify security issues early, before software goes to production.
  • Adapt business processes to include risk analysis and use automated tools for in-depth testing and continuous monitoring.
  • Test internal interfaces, not just APIs and UIs.
  • Mobile operating systems, architecture, and development tools are significantly different from traditional web applications. Invest in more specialized training and AppSec testing tools for secure mobile app development.
  • Organizations should employ AST practices to any third-party code they use in their applications.
  • Build an effective API security strategy that includes comprehensive vulnerability scanning for web service APIs, public, private, and internal-facing APIs.
  • Practice zero-trust. Assume all third-party applications are untrusted until validated.
  • Combine DAST and SAST methodologies to achieve effective and long-term risk and cost reduction.
Application Security Testing Tools Features

When doing your research, look for application security testing tools that have the following features:

  • Ease of use: The tool should be easy to use, for beginners and advanced professionals.
  • Flexibility: The tool should be flexible enough to accommodate your needs and allow you to test all aspects of your application.
  • Functionality: A good application security testing tool should offer a wide range of functionality so that you can test every aspect of your application’s security.
  • Reporting capabilities: Reporting capabilities features will allow you to generate comprehensive reports detailing the results of your conducted security tests.
  • Price: As with any purchase, the application security testing tool you choose should be affordable without sacrificing quality or features.
Application Security Testing Tools Benefits

Below are several reasons businesses should invest in application security testing tools:

  • Boosts customer satisfaction: Application security testing tools help your organization keep customer data secure and, in turn, build customer confidence.
  • Protection from external attacks and leaks: Application security testing tools protect sensitive data from being exposed by showing all the errors during the testing process.
  • Cost savings: Following security testing during SDLC saves costs by highlighting the bugs very early on. When a developer is able to fix bugs sooner in the process, your organization saves both money and time.
  • Reduced risk: When QA teams use application security testing tools, end-user data remains safe. If the security of an application becomes compromised, an organization risks its reputation.
Disadvantages of Application Security Testing Tools

While application security testing tools have a lot of great features and many benefits, they also have some downsides, including:

  • The results of application security tests may vary in accuracy if not performed correctly.
  • Testing is time-consuming and requires expertise to execute properly.
  • Without appropriate resource allocation, setting up the processes may be difficult or impossible to sustain.
Buyer's Guide
Application Security Testing (AST)
June 2022
Find out what your peers are saying about Veracode, Checkmarx, PortSwigger and others in Application Security Testing (AST). Updated: June 2022.
609,272 professionals have used our research since 2012.