The study found 8 different problem areas for developers with regard to Application Security. The largest problem according to 89.7% of respondents was a disconnect between developer and security workflows. In addition this problem there were seven other problem areas all receiving over 80% of the respondents votes for problem areas.
From most to least troubling are:
- Performing security tests too late in the development cycle (88.7%)
- A lack of remediation guidance (87.7%)
- Poor quality of security testing results (86.2%)
- Vulnerability patching that requires additional updates to connected code (85%)
- A lack of dev friendly code analysis tools (84.4%)
- Too much reliance on manual security processes (82.1%)
- Speed of security testing software (81.3%)
The results of the study seem to indicate that we need to find ways to make Application Security easier and more informative for developers. K2 Cyber Security can help address the issues around the lack of remediation guidance and the poor quality of security testing results. K2 Cyber Security Platform is a great addition for adding visibility into the threats discovered by penetration and security testing tools and can also find additional vulnerabilities during testing that testing tools may have missed. K2 can pinpoint the exact location of the discovered vulnerability in the code. When a vulnerability is discovered (for example, SQL Injection, XSS or Remote Code Injection), K2 can disclose the exact file name along with the line of code that contains the vulnerability, details that testing tools typically are unable to provide, enabling developers to start the remediation process quickly.
K2 Cyber Security Platform offers two use cases, the first as described here is additional visibility during pre-production (development) penetration testing, while the other is runtime protection for applications in production. In the second use case, K2 offers an ideal runtime protection security solution that detects true zero-day attacks, while at the same time generates the least false positives and alerts. Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, we use a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge. Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended. There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has minimal false alerts.
Get more out of your application security testing and change how you protect your applications, and check out K2’s application workload security solution.