Few would argue that application security isn’t a critical component of an overall cybersecurity strategy. Software is the heart of everything we do, in work and in our personal lives—and as a result, the role of software security has very real consequences on humans and their machines.
That said, application security isn’t easy, in part because doing it right means building a well-thought-through vulnerability scanning strategy, one that covers the entirety of the software development lifecycle. From code that developers build to open source components to containers to applications in production, there’s a lot of work to be done in terms of identifying issues that might put an application at risk.
Given this, it’s not surprising that security gaps exist. In fact, in a study ZeroNorth published in October, we shared data that shows most companies lack a comprehensive application security program. Some may use SCA, SAST, DAST or container scanning tools, but it is rare to find an organization that has more or all of these capabilities in place.
While the sporadic-scanning approach may be commonplace today, we see more and more companies looking to build a strategy aimed at driving continuous and comprehensive vulnerability scanning. These strategies are important and take time, primarily because evaluating, testing and onboarding new scanning tools cannot be done overnight.
If security gaps exist—and filling these gaps takes time—then what? To answer that question, today ZeroNorth launched a new solution for Rapid Application Security. Thanks to open source security scanning tools embedded directly within the ZeroNorth platform, companies can leverage new vulnerability discovery capabilities—and quickly. Since the tools are embedded within the platform, deployment and management of the tools are incredibly simple, too.
The value of the solution is that it enables customers to leverage open source security scanning tools today, while continuing to focus on the more rigorous evaluation of commercial tools as well. In other words, you can use the ZeroNorth solution for Rapid AppSec to quickly fill security gaps while a longer-term strategy—likely centered on commercial scan tool deployments—moves forward.
Specific open source tools delivered as part of the solution include:
- OWASP Dependency Check (Recheck) for software composition analysis (SCA)
- Bandit, Brakeman and SonarQube for static application security testing (SAST)
- Aqua, Clair and Docker Content Trust for container security
- OWASP Zap for dynamic application security testing (DAST) of deployed web applications
- Prowler to identify misconfigured or otherwise vulnerable assets within cloud infrastructure
If you’re building out a more robust application security strategy but need some stopgap measures as your commercial tool selection process moves forward, check out what ZeroNorth has to offer. We think there are some great capabilities you can deploy—quickly!—to help build and bolster your long-term security program. If you’d like to see our platform in action, feel free to request a demo.