Asking the Right Questions about Dynamic Scanning to Secure Web Applications: A Buyer\\'s Guide to App Sec Scanning Tools

  • Tuesday, 12 Sep 2017 1:00PM EDT (12 Sep 2017 17:00 UTC)
  • Speakers: Barbara Filkins, Joe Pelletier

Cloud computing has shifted the focus of application security away from security specialists in IT operations, who used to scan for flaws after an application was finished, and into the hands of developers. DevOps and other continuous development methods are moving responsibility for quality and security to developers rather than operations people who scan for flaws after an application is finished, according to the 2015 and 2016 SANS Application Security Surveys. Those surveys showed only 22% of development organizations did their own security assurance in 2015; a year later, their ranks had grown to 30%.

Securing a web apps across its life cycle is fundamentally different than securing an app born inside a secure perimeter. Sophisticated tools designed to scan running applications in their native environments are more complex and challenging to choose from among than old-fashioned vulnerability scanners. The threat they're designed to counter is also more intensive and more pervasive, making the choice of tools more important than when application security could afford to be treated as an afterthought.

The tools and requirements have changed so quickly that even the process used for selecting the correct tool is no longer adequate.

SANS expert Barbara Filkins will help walk you through the decision process, laying out the major market segments, identifying the must-have tool functions for specific roles in development, testing and maintenance of software throughout its lifetime. She'll also help identify the types of tools that are most cost efficient based on impact, functionality, the need for additional training, applicability to given computing platforms and other factors.

We can't offer a generic RFP template that you can copy/paste and email to suppliers, but we'll get as close as we can.

Sign up for this webcast and learn how to do due diligence on procuring app sec scanning and analysis tools.

We'll cover:

  • How to identify the best sets of requirements for specific job roles;
  • Levels of automation and required expertise needed with certain tools -- and when each might be a benefit;
  • Guidelines on how to develop proofs of concept, best-practice guides and how to identify frequent pitfalls

SANS won't tell you what tool to buy, but can show you what questions to ask, including:

  • How to weight responses based on your organization's priorities;
  • How to build a use case relevant to current development and testing -- with a mix of waterfall and agile processes; and
  • How to put together a detailed set of criteria you can use to help make the right decision and ensure you took the best route to get there.

Click here and you'll be among the first to receive an associated whitepaper with full analysis and explanation of these and other AppSec/vulnerability scanning issues by report author and SANS expert Barbara Filkins.

View the associated whitepaper here.