5 essentials of cloud-based application security testing

This is a question often asked by proponents of the cloud movement. In this article, I will highlight what, how, why, and when to choose a cloud-based approach for application security testing through the five essential factors.

Cloud-based (aka on-demand) application security testing is a relatively new type of testing in which the applications are tested by a solution/tool/scanner hosted in cloud. It differs from traditional application security testing in a few ways.

1. Traditional application testing requires on-premises tools.
2. While the goals are similar (finding bad stuff), cloud-based testing provides a more scalable, faster, and more cost effective choice. However, it may not be the best fit if you want to go for depth and robustness; in which case static analysis, manual ethical hacks, and architecture risk analysis could be a better choice.

As more and more applications are being deployed in cloud, serving all kinds of end points, I have observed a shift of focus from “securing applications” to “securing applications fast, at scale.” Cloud-based application security testing is real and answers many of the questions asked by senior personnel across large enterprises and SMBs alike.

How does cloud-based application security testing work on a high level?

The application to be scanned is either uploaded (usually done for mobile applications, thick clients, or static code analysis) or a URL (Uniform Resource Locator) is entered into an online portal. If required, authentication workflows are provided by the customer and recorded by the scanner. For internal applications, appropriate network exceptions are needed so the scanner can access the application.  The customer then configures, customizes, and initiates the test. Upon completion, the scanner provides the test results with a detailed findings description and remediation guidance.

The five essentials

Here are the five essentials to be considered while adopting a cloud-based application security testing strategy:

1. Scale – The solution needs to scale rapidly with evolving business needs without causing configuration and performance issues.
2. Availability – With global teams working around the clock together, the online solution should be available 24/7. This calls for strong application portfolio management via a centralized dashboard with features for effortless collaboration.
3. Speed – The scanner should be fast with short turnaround times and have the ability to run parallel scans. This is needed especially when most of the organizations are adopting agile methodologies.
4. Quality – Perhaps the most important factor—the scanner—should perform accurate scans and be able to make triaging of false positives and false negatives simple and fast. The reporting should include contextual, actionable guidance—empowering developers to resolve identified issues.
5. Cost – Agile methodologies not only require rapid scanning, they also require multiple iterations of security testing. These iterations should not incur undue incremental costs.

Cloud-based vs. traditional application security testing

Every organization has different needs and goals. I cannot recommend one method over another without understanding the nitty-gritty of the specific case at hand. However, apart from the five essentials I’ve mentioned here, I’d also consider a few additional points:

Cloud-based application security testing could be a better fit for:

• A large application base
• Low to medium risk applications
• Organizations with a strict budget and time restrictions