Best Application Security Tools, Software & Solutions

Dan Doggendorf gave sound advice.

Whilst some of the free or cheap platforms will provide valuable information and protection, your security strategy has to be layered. Understand what you want to protect and from whom. At some point you will need to spend money but how do you know where to spend it? There are over 5,000 security vendors to choose from.

There is no silver bullet and throwing money at it won’t necessarily fix what you are at risk from but at the same time free products are free for a reason.

If your organisation doesn’t have a large team of security experts to research the market and build labs then you need to get outside advice. Good Cyber-advisors will understand your business and network architecture therefore will ask the right questions to help you to navigate the plethora of vendors and find the ones that are right for where your business is now and where you intend it to be in the future.

Large IT resellers will sell you what they have in their catalogues based on what you ask for and give a healthy discount too but that may not fix the specific risks your business is vulnerable to. A consultative approach is required for such critical decisions.

By the way, there are free security products and services that I recommend.

The biggest threat is risks you think you have managed are not managed at all so you and your executive team have a completely false sense of security.  This is even worse than not having any tool in place.  With no tool in place, you at least know you have a vulnerability.

There several ways to ensure a tool is doing what it is supposed to do.

1. Product Selection - when selecting a tool, do not focus on what a tool can do.  Focus on what you want the tool to do.  You drive the direction of the sales demo, not the sales team.

2. Product Implementation - use professional services to implement and configure the solution.  Your team should be right there with them as a knowledge transfer session but the professional who installs and configures the product every day should drive the install, not someone who wants to learn.

3. Trusted Partners - find yourself a trusted partner(s) who can help guide you.  This should consist of product testing labs partners, advisors who live and breathe the space daily, and resellers with a strong engineering team.

Tools are not necessarily bogus. Sometimes they are just 'legacy' tools that have been around for too long and no longer fit the problem they were designed to solve, simply because IT infrastructure, organizational needs, and cybersecurity threat complexity have evolved. 

Refrain from free products

Delete products and traces of product after evaluation

Always know what you want from the cybersecurity solution. Can identify illegal operations of the products if different from its stipulated functions.

Work with recognised partners and solution providers

Download opensource from reputable sites

Open Source or Free products need proper management. Based on my experience I have found that many people who uses open source don't bother to patch them and attackers then utilize such loopholes.

One of the great example one client was using free vulnerability management plus IP scanner. And they got hit with ransomware. During the investigation I realise the attacker utilized the same tool to affect other devices on the network. The attack took his time at least 2 months unnoticed. 

One should 1st have details understanding of what he/she is looking to protect within environment as tool are specially designed for point solution. Single tool will not able to secure complete environment and you should not procure any solution without performing POC within your environment 

As there is possibility that tool which works for your peer organisation does not work in similar way for yours as each organisation has different components and workload/use case

You should build a lab, try the tools and analyze the traffic and behavior with a traffic analizer like wireshark and any sandbox or edr that shows you what the tools do, but all this should be outside your production environment, use tools that has been released by the company provider and not third party downloads or unknown or untrusted sources.

Bogus cybersecurity tools might bring about the data exfiltration, trojan horse 

I like the potential for catching an unusual activity like that with our recently implemented endpoint detection tool, Cynet360.  It seems so far to have about the highest level of transparency into the endpoint with a 24x7x365 backing of monitoring.  

It's understood that internal tool probably shared by Internal Employee as RCA. The tool was used to reset associated Mail Address of account thereby Password Reset of Choice. In MFA of Identity related features, it's more secured on keeping it with associated Mobile Secure Pin or SoftCrypto Code in Future to avoid compromise at this moment is the lesson learned. 

The use of two factor authentication by Twitter

This is one of the Identity theft issue, which means some one hack your password or account and do activity which he she is not suppose to do. basic reason of hack of your identity or password is Social engineering. second reason is system has week privilege access management. If you have less control on admin id or privilege id then enter firm has to suffer along with the customer of that firm. For me the take away of this event is to protect privilege ID and you good PAM PIM tool with two factor and UBA included.  

Span of control, Solid RBAC, Privileged Access Management (PAM) 

Whilst it may appear as though the real solution to a question like yours is to name a particular tool and say it is the best tool in the market because of what an analyst company like Gartner or Forrester says, I would rather ask if you have an Appsec Programme in your organization and what that AppSec Programme is like.

Yes, a tool will help you find the bugs and security vulnerabilities, but a tool or combination of a tool in itself does not solve your security challenges without a proper programme.

In any case, depending on what part of the SDLC you want to introduce a tool into, then it may be easier to recommend a tool. For clarification purposes, you may want to share more light into the time you want to use the tool e.g during QA, Dev, Testing, production or Post-production, also the type of integration needs you have for your CI/CD, language or protocol support that you need to look into, as well as if you are looking at continuously monitoring your systems which you supply to the Airline industry.

A quick look into Gartner Application Security Testing quadrant or Forresters may give you some guidelines with respect to tools alone. but an AppSec programme is very key to the success of whatever tool you acquire.

I use and recommend Micro Focus Fortify for SAST, DAST, and real-time code analysis.

There support 25+ language programming and it integrates into your CI/CD environment for an unbreakable pipeline, i.e.: Jenkins, Jira, and others.

Fortify has a plugin for IDE for Eclipse, Visual Studio, and other IDE's and real-time analysis code is functional, with solutions and best practices.

I don’t know any. Either they do quality checks (which can also contain some vulnerabilities, but not to a great extent) or security scans, but not both, afaik. But my market knowledge is limited.

Burp Suite from PortSwigger (pen testing and vuln scans) and WebGoat from OWASP (code testing) are two that I would recommend. See this article for other recommendations: https://www.csoonline.com/article/3317523/top-application-security-tools-for-2019.html?nsdr=true#tk.twt_cso

It depends if the application is a web app. Does it have a database? Are the systems built to any regulations required for compliance (i.e. CIS benchmarks)? Do you want an automated means to "act" on findings?

My experience said there is no perfect all-in-one product doing its best for SAST, DAST and IAST together. If you're looking on Gartner-remarked products only, the most recent version of Micro Focus Fortify (today is 19.2.1) represents the best combination. If you are price-oriented, and also you don't trust on remarked products, you should take a look to niche players, like Security Reviewer: www.securityreviewer.net offering SAST, DAST, IAST and Software Composition Analyis. Most of my customers use a remarked product and a niche onw together, in order to solve as many false negative as possible.

For vulnerablity, from your requirement, your checking app is for airline industry, i assuem it will be C related. Base on my current usage experience, you can choose Coverity or Klocwork, this 2 tools can support many C related compiler, this will be very important for your application project. And this is main the reason i dont suggest you to chose Fortify, Fortify can support many programe language, but it is not good on C programe compared with Coverity and Klocwork.

For quality check, this is another question, normally commercial static analysis tools already provide some checker for bad practices, it is not big issue.

你们是基于什么语言？我比较推荐parasoft因为它在漏洞扫和描质量检查方面应用在航空公司（民用）都是有案例的，如果需要案例和工具的详细信息请发邮件给我wenya.xia@ruitde.com