ASTQ Summit is available on demand! Hear industry leaders share how they're delivering continuous quality. Watch Now >>

X
BLOG

Building the Bridge Between Development and AppSec

Building the Bridge Between Development and AppSec Reading Time: 2 minutes

Is your development team hindered by “Red Team” AppSec reviews that hold up delivery or deployment due to seemingly endless rejections and rework because of failed security audits?

Parasoft has a solution for the Us vs. Them paradigm prevalent in many organizations today. Our new dynamic application security testing (DAST) offering seamlessly integrates Parasoft SOAtest with OWASP ZAP to provide your current functional tests with penetration testing, including verb fuzzing.

Whitepaper: Guide to API Security

Sure, some development teams may take a “security is not my job” stance on the matter. But security should be everyone’s concern—at every stage of the SDLC. If code from development is unable to pass application security testing and gets sent back to development for remediation, it quickly becomes development’s job.

Can’t We All Just Get Along?

To create harmony in this situation, Parasoft made it even easier to shift left the testing for top security risks. Teams can add API security testing to existing test suites with just a few simple clicks. When the development team runs the API functional tests, they can reuse the same tests for API security testing, too. A color coded report will summarize the findings so that developers can resolve any defects.

Shift Left API Security Testing

In the well-known work of Capers Jones in 1996, he quantified the cost increase to repair defects in later stages of the SDLC. This research is still relevant today, only teams are doing it faster now thanks to Agile. This is where the term “shift left” comes from when software development teams seek to prevent and repair defects earlier in the cycle where they cost a lot less to fix.

Graph showing percentage of defects in x axis and stages of SDLC in y axis. Cost increases to fix defects as the stages progress to the release.

Encourage your organization to embrace the shift-left approach for API security testing to give development teams the ability to detect and resolve security risks during the development phase. When AppSec or DevSecOps teams perform security and penetration testing, pen testers can leverage Parasoft’s API security solution to test API functionality. Here’s how:

  • Use the current API test suite for functional and security testing with the new DAST integration.
  • If an API test suite doesn’t exist yet, use Parasoft SOAtest’s smart API test generator to create new tests quickly and easily.
  • Teams already using OWASP ZAP can also reuse policies from existing deployments, even custom ones.

Any way teams put the Parasoft API security solution to use, they can easily leverage API functional tests for API security testing and increase the overall application test coverage.

For any situation, Parasoft’s DAST solution is ideal. Check out the API Security Testing Demo video to see how easy it is to add API security penetration testing to existing functional tests.

See Parasoft SOAtest in action! Request a demo.

Written by

Jeffrey Peeples

Jeff Peeples is a Senior Product Manager at Parasoft, leading the functional platform direction for SOAtest, Virtualize, and CTP. Jeff has extensive experience defining solutions and developing roadmaps for enterprise industries including energy, financial technologies, and travel/hospitality.

Get the latest software testing news and resources delivered to your inbox.