Application Security Testing FAQs
What is White Box Testing/Static Code Analysis?
Simply put, white box testing is looking at software risks (security + quality) from the inside-out. This type of review analyzes the code and code level artifacts as the main source for testing. Having the ability to read code is essential in performing white box testing activities across the languages being analyzed. This is why commonly inside development organizations this type of testing defaults to software engineers and not the quality assurance (QA) testing department. QA commonly handles the other side of testing which is “black-box” or looking at software risks (security +quality) from the outside-in.
If I already have an SSL certificate, why do I need additional certification?
The world of developing safe and secure software would be a much safer and easier place if all it took was an SSL certificate to negate all application security risks and I wish it were true. Unfortunately, SSL only ensures the data being transmitted between the browser and web server is encrypted. Application security ensures the software residing on either side of that communications link doesn’t allow alternate exploits to circumvent the SSL connection. In today’s technology environment there are 100(s) and 1000(s) of possible connections from other resident applications on either side of that SSL connection that if breached could result in your SSL certificate being irrelevant. We could write a chapter on this but for the sake of brevity we hope this answers the question and would love to discuss further if you contact us.
I am already a security expert, could I test my applications myself?
Absolutely and you should! The reason why security experts leverage PSC’s services and technology is taking advantage of the following:
- Leverage 2 – 20 application security technologies at one time which allows you to get the most security coverage available on the market.
- PSC has analyzed billions of lines of code and our expertise is used to your advantage.\
- PSC will increase your productivity by freeing you up to do your five other jobs while we do the heavy lifting of sifting through a large data set to produce actionable results so your organization can realize a quick and immediate return.
How is the service priced?
Each testing engagement is unique and priced based on your software’s unique security and quality risk signature. We work closely with our clients to determine the appropriate breadth and depth of analysis required based on the system’s level of risk determined by domain experts.
For first time customers, PSC offers a free QuickCheck service which provides us intelligence on the level of security risks in the system and allows us to collaborate with our new client on pricing. The fundamentals of pricing are driven by the volume and types of data resulting from initial scans of the software.
For long term customers, PSC offers a subscription service making it easy to realize the long term benefits of sustained isometric application security testing.
Are you able to ensure that all security defects have been identified?
The short answer is “no” and any company who answers this question “yes” you should run not walk away from.
It’s not our opinion, rather the opinion of our customers, that PSC offers an unprecedented level of application security coverage by leveraging more than one technology for any service engagement. The National Security Agency (NSA) as an authority in this space independently tests application security technologies and consistently concludes on average the best ones on the market identify 20 – 30% of possible application security vulnerabilities.
PSC’s inGenium APPSEC intelligence platform enables you to leverage 20+ technologies at once increasing your application vulnerability coverage.
Finally, software is always evolving and the techniques to compromise applications changes everyday. We believe our services and technology provides state of the art capabilities to secure your applications.
Is there a chance that the tests could crash my application?
No. However, the result of such testing will cause your engineers to make changes to the code which may result in other defects being introduced. Every customer’s software process and maturity is different and their ability to handle rapid change is unique. Your mileage will vary on this but the tests themselves will not cause your application to crash.
How often should I have my application tested?
The answer is highly dependent on frequency of change, risk profile of the application, integration of application security testing into your DEVOPS, schedule and budget. Best practices would say with every change the application should be scanned so aggregated metrics can be tracked. We are fans of this but we also realize not every organization has the spare cycles to do this organically. This is where PSC’s ROI is most powerful by providing a turnkey service injecting actionable results into your organization without negatively impacting productivity.
We like to think that we’re so fun to be around and the information we produce is so deadly accurate that our customers will want us involved with every release.
What types of report will I receive after my free QuickCheck?
We provide several different types of reports. We provide an executive level report for executives to easily and quickly assimilate the information with charts and graphs. We also provide detailed technical reports for the technical audience which makes our reports actionable and the organization can realize an immediate return by making them “click & fix”.
Do you suggest fixes?
Yes, but they are not documented. In the follow-up meeting, we discuss the solutions in more detail than attempting to document them. Often there are several different methods to fix defects; we merely provide the options to our customers and let them determine their next course of action.
Once the report is given to the customer, can they contact PSC for additional questions?
Absolutely. Our team is available to our clients and we offer online support. Our goal is to do the heavy lifting for our customers and to provide expert support to answer questions and to ensure the organization realizes a benefit to securing their software and improving its reliability.