Resource Center  >  Blog

Shopping for an AppSec testing solution? Here is what to consider

Let’s face it – whether you are checking your emails, banking online , shopping for new shoes, or doing serious business, there is a very good chance you are doing it through your web browser. Organizations use the convenience web applications bring to get in front of you, but this convenience does not come without a risk.

As more businesses shift to web apps, they are becoming more attractive targets for cyber criminals. So, what can you do to stay one step ahead of bad actors? – Automate. 

In this article we introduce three key features you have to look for when shopping for your AppSec & API testing automation tool:

Integrating early into the SDLC

Development teams have been using automation to streamline manual activities such as build, deployment and functional testing for years now, and it is time security testing joins the mix. 

By integrating automated security validation into the continuous integration/continuous development (CI/CD) pipeline, you can catch vulnerabilities sooner, reducing the potential risk and financial impact.

According to the NIST (the National Institute of Standards and Technologies), the cost of fixing a security defect once it’s made it to production can be up to 60 times more expensive than during the development cycle.

Additionally, the time it takes to fix a security issue once it is discovered has increased. According to Veracode’s “State of Software Security” report the average amount of time to fix a software defect has gone from 59 days ten years ago, to 171 days. Instead of being remediated during the development cycle, the vulnerability would be in production for almost half a year.

Although SAST tools traditionally did a better job at integrating early into the SDLC,  modern DAST tools are catching up and can be integrated as early as the build phase.

Low number of False-positives

We all know the story about the boy who cried wolf.

The tale tells the story of a shepherd boy who repeatedly tricks nearby villagers into thinking a wolf is attacking his town’s flock. When a wolf actually does appear and the boy again calls for help, the villagers believe that it is another false alarm and the sheep are eaten by the wolf.

What if the same happens with application security? With all the false positives and false alarms, you could skip a serious, real vulnerability that could be exploited. Moreover, even if you don’t miss anything, you end up spending hundreds of hours trying to figure out what is real.

It’s crucial you find a tool that returns as few false positives as possible. We at Bright make sure to automatically validate every finding before reporting it to you. That way we ensure you spend the time and resources into remediating real, exploitable vulnerabilities.

Simple usage

One of the problems automation solves is the huge global shortage of security professionals. Having a tool that requires a team of security professionals to work with shouldn’t be mandatory. To see the real benefits of automation, you need a tool that your existing teams will love and know how to use.

Not even the best AppSec Testing tool is useful if your team is not going to use it.

That’s why we at Bright built our tool from the ground up with developers in mind. We made sure developers don’t have to leave the environment they already use and can configure and start a scan with code, but we also made sure our UX is simple enough so that other teams, like QA, will enjoy using it.

Want to see how Bright addresses the mentioned issues? Talk to sales, or try it now for free.

Application security testing with Bright

Bright enhances DevSecOps at its core, with a Dev First approach to test your WebApps and APIs

Key features of our technology include:

  • Shallow learning curve: to establish a culture of security testing across your pipelines
  • Built for Developers: We empower developers to detect and fix vulnerabilities on every build, enabling them to leverage multiple discovery methods to initiative a scan, including:
    • Crawling – for full automation
    • HAR files – generated per build/commit for scope defined testing or by QA Automation
    • OpenAPI (Swagger) files or Postman Collections – to test APIs or Single Page Applications
  • Smart Scanning functionality: leveraging sophisticated algorithms to carry out the right tests against the target, removing complexity for developers whilst ensuring scans are automatically optimized to maximize speed and prevent development drag
  • Built for Modern Technologies: Microservices, Single Page Applications, APIs (SOAP, REST, GraphQL) are all supported 
  • No False Positives: The only tool with fully automated validation of every vulnerability detected, freeing up valuable time for your security team and saving a considerable amount of money, to release fast and be secure by design
  • Seamless Integration: Rest API, CLI for developers, or with common tools such as CircleCI, Jenkins, Jira, GitLab, Github, AzureDevOps and more
Testing variance Using Legacy Dast Using Dev-Centric Dast
% of orgs knowingly pushing vulnerable apps & APIs to prod 86% 50%
Time to remediate >Med vulns in prod 280 days <150 days
% of > Med vulns detected in CI, or earlier <5% ~55%
Dev time spent remediating vulns - Up to 60x faster
Happiness level of Engineering & AppSec teams - Significantly improved
Average cost of Data Breach (US) $7.86M $7.86M