What can Application Security Testing add to DevOps programs?

The adoption of DevOps practices by organizations to shorten the standard development lifecycle has put new pressure on security teams to keep up with the pace of development within CI/CD pipelines. In order to accomplish this, security teams need to provide better security insights to developers so that fewer vulnerabilities are introduced, those that make it in are detected earlier and they are resolved quickly.

When, in an ideal situation, application security testing is introduced to CI/CD pipelines, the testing methods should prioritize finding the most important vulnerabilities, avoid false positives and focus on the most recent code changes between builds. Once these vulnerabilities are then found, they would be reported to development teams in ways that are easy to track and resolve.

IBM AppScan Enterprise helps organizations identify the highest web application security issues using dynamic application security testing (DAST). Using IBM AppScan allows organizations to easily bring DAST testing into the standard development lifecycle (SDLC) because these high priority vulnerabilities can then be the focus on development team’s remediation efforts. With ThreadFix, security teams can actually combine and correlate multiple DAST scan results with results from static application security testing (SAST) for a consolidated view of their applications and vulnerabilities.

When integrated together through the REST API, ThreadFix can schedule automated scans through IBM AppScan, prioritize the vulnerabilities found across scan results and easily export them to the defect tracking tools used by development teams. This provides a more comprehensive security coverage for the organization while maintaining the pace of development through the CI/CD pipeline.