Building the Bridge Between Development and AppSec
By Jeffrey Peeples
October 28, 2021
2 min read
Jump to Section
Is your development team hindered by “Red Team” AppSec reviews that hold up delivery or deployment due to seemingly endless rejections and rework because of failed security audits?
Parasoft has a solution for the Us vs. Them paradigm prevalent in many organizations today. Our new dynamic application security testing (DAST) offering seamlessly integrates Parasoft SOAtest with OWASP ZAP to provide your current functional tests with penetration testing, including verb fuzzing.
Whitepaper: Guide to API Security
Sure, some development teams may take a “security is not my job” stance on the matter. But security should be everyone’s concern—at every stage of the SDLC. If code from development is unable to pass application security testing and gets sent back to development for remediation, it quickly becomes development’s job.
Can’t We All Just Get Along?
To create harmony in this situation, Parasoft made it even easier to shift left the testing for top security risks. Teams can add API security testing to existing test suites with just a few simple clicks. When the development team runs the API functional tests, they can reuse the same tests for API security testing, too. A color coded report will summarize the findings so that developers can resolve any defects.
Shift Left API Security Testing
In the well-known work of Capers Jones in 1996, he quantified the cost increase to repair defects in later stages of the SDLC. This research is still relevant today, only teams are doing it faster now thanks to Agile. This is where the term “shift left” comes from when software development teams seek to prevent and repair defects earlier in the cycle where they cost a lot less to fix.
Encourage your organization to embrace the shift-left approach for API security testing to give development teams the ability to detect and resolve security risks during the development phase. When AppSec or DevSecOps teams perform security and penetration testing, pen testers can leverage Parasoft’s API security testing tool to test API functionality. Here’s how:
- Use the current API test suite for functional and security testing with the new DAST integration.
- If an API test suite doesn’t exist yet, use Parasoft SOAtest’s smart API test generator to create new tests quickly and easily.
- Teams already using OWASP ZAP can also reuse policies from existing deployments, even custom ones.
Any way teams put the Parasoft API security solution to use, they can easily leverage API functional tests for API security testing and increase the overall application test coverage.
For any situation, Parasoft’s DAST solution is ideal. Check out the API Security Testing Demo video to see how easy it is to add API security penetration testing to existing functional tests.