Think You Can’t Afford Code/App Testing? Think Again...

Thursday, May 19, 2011

Brent Huston

E313765e3bec84b2852c1c758f7244b6

According to this article, most companies skimp on third-party code checks.

Over the years, in our application testing services, we have found a variety of reasons why people skip code review and even application testing from a blackbox standpoint. The main objection we hear is cost.

The cost of code review is often quite a bit higher than they expect. In some cases, we have seen where code review quotes from some vendors have been as much as 40% of the total development costs!

Now, that said, things are shifting.

Today, you have a plethora of code review automation tools and source code scanners. These tools make an easy way to pick the low hanging (and sometimes higher, depending on language/complexity & tool variables) vulnerabilities out of your code long before it is exposed to malicious outsider/insider contact.

(You do have a DEV and QA environment, now, right? Hint, Hint!) A quick list of code scanning tools is here.  Even more are available.

For example our favorite PHP scanner, SandCat Hybrid is not on the list yet, but is widely available and used today. Pricing for some of these tools varies from FREE (like beer AND like speech) to hundreds of thousands of dollars per year.

With a little research work, you can likely find a tool to meet your needs. Need help picking a tool? Just drop us a line, we would be happy to help.

Having a tool is one thing, using it and applying what you learn is another. You will need to create processes to make use of the tool. You will need to define where in your development and product purchasing processes the assessments should take place.

You will need someone to run the tool and analyze the results. You will need someone to help work with the developers to make sure that any identified weaknesses are mitigated or that compensating controls are employed appropriately to minimize any defects not cost effectively fixed.

This takes time, skill, knowledge and talent. However, if you want this skill ad-hoc or via a subscription, both are available from MicroSolved. Just drop us a line or give us a call and we can work together to design a toolset and skill set appropriate to your needs.

Using this approach, you don’t have to be one of the firms ignoring code review and application testing. You CAN afford to perform testing prior to product launch, deployment or upgrades. We can help you design a solution that fits your business needs and your risk tolerance.

Rise above your competitors (who are likely in that 65% of companies NOT doing testing) and begin offering software and products that have been assured to protect their privacy. We can help and together, we can make it safer for all of us online.

Cross-posted from State of Security

Possibly Related Articles:
13078
Webappsec->General
Testing Code Review Application Security Scanners Tools Source Code
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.