Published: 28 Oct 2014
There was a time not long ago when enterprise application security went totally ignored by information security teams. Attackers, however, have long since realized how easy it can be to find that one enterprise application that wasn't patched correctly. The result? An application flaw that's been widely known for years gets exploited, giving an attacker unchecked access to sensitive data.
To that end, an increasing number of enterprises now rely on a broad field of application security products to scan their application code, identify vulnerabilities and even defend applications that need extra protection.
In our 2014 Readers' Choice Awards, we recognize three outstanding Application Security products, as rated by our readers.
Winner: QualysGuard Web Application Scanning, Qualys Inc.
The first, QualysGuard Web Application Scanning (WAS) from Qualys, is by far the most widely used app sec product among this year's respondents. The cloud-based WAS service is a repeat winner: It received the nod for top product from voters in Application Security in our 2013 Readers' Choice Awards.
WAS is the Swiss Army knife of Web scanners: The automated scanner can identify and test custom Web applications for vulnerabilities, focusing on the OWASP Top 10, not to mention malware, sensitive content like Social Security numbers or credit card numbers, and application interactions like link crawls and host data. Authenticated scans are an option as well.
Beyond scanning, WAS provides application asset categorization with customizable tags to group apps in any number of ways including location, business unit owner and risk level. Standardized and customizable reporting not only categorizes findings by flaw type, severity and remediation status, but also formats findings for different audiences including administrators, developers and executives. Broad user role management options allow for a variety of users to run their own custom scans with WAS simultaneously. WAS also has APIs for integration with Web application firewalls, security information and event management systems (SIEMs) and enterprise risk management products.
Survey respondents were especially high on Qualys' frequent updates to the product to identify new vulnerabilities, and its ease of installation, configuration and administration. "Burp integration was key," says one respondent, "and we use the WAS service in development, which has tightened up [their] processes in turn."
The WAS service is available to customers in one of three yearly subscription packages (Enterprise, Express, and Express Lite editions), based on the maximum number of applications and scanners. QualysGuard Policy Compliance, which is also based on the Qualys Cloud Platform, is a winner in this year's Risk and Policy Management category.
Winner: App Risk Management Service, Appthority
Also recognized this year is Appthority's App Risk Management Service for mobile applications. The software as a service (SaaS) application constantly collects and analyzes data points that can offer insight on the security of mobile apps, including app store reputation, distribution, function, risky security behaviors and developer reputation. It also conducts static, dynamic and behavior analysis on mobile apps to determine if they pose a risk. From there, customers can integrate App Risk Management Service with a number of popular mobile device management products, giving customers the option to enforce their policies based on the findings.
Our survey respondents were blown away by App Risk Management Service's effectiveness in detecting and reporting known attacks and vulnerabilities. "It's very effective and reliable," noted one respondent. "It's great to use.... Overall everything is awesome," says another.
Winner: Retina Network Security Scanner, BeyondTrust Inc.
Rounding out the winning trio is BeyondTrust's Retina Network Security Scanner. The application, available as a standalone or as part of BeyondTrust's broader Retina suite, can discover and assess the security posture of a mix of network, Web and virtual application assets. Using agent-based or agentless scanning, the product can identify specific vulnerabilities, assess risk and prioritize remediation based on a variety of factors. It integrates with popular SIEM, GRC and security management platforms, and produces a mix of role-based reports.
Our survey respondents appreciated Retina Network Security Scanner's frequent updates and vendor support, as well as its overall effectiveness. "It works well [and] has alerted us to attacks and insecure situations several times," says one respondent. Another noted, "It is very useful in network security. It enables us to find a security exposure across an unlimited number of networks."
Send comments on this article to firstname.lastname@example.org.
See the best application security products of 2013 and compare to this year's winners.