For consecutive years, applications have remained the top attack vector for black hats, with supply chain attacks not far behind. At the same time, market research indicates that enterprise security managers and software developers continue to complain that their application security tools are cumbersome. When asked, many developers admit that they don’t run security tests as often as they should, and they push code to production even when they know it has security flaws.

The 2022 Gartner® Critical Capabilities for Application Security Testing report provides useful guidance for teams wanting to build an AppSec program optimized for their business needs. There are two cars in my driveway right now. One was built in 1978, and what’s great about it is how easy it is to work on. It’s a simple vehicle, and most repairs can be performed with only a half-dozen tools: two screwdrivers, three wrenches, and a hammer (you always need a hammer).

In our new tech tales series, we discuss how Synopsys customers use our products and services to uncover security risks in their organization. Synopsys customers span every industry—from small to large enterprises across financial services, automotive, public sector, medical and healthcare, and much more. One thing they all have in common is building trust into their software.

Coverage-guided fuzzers, like Jazzer, maximize the amount of executed code during fuzzing. This has proven to produce interesting findings deep inside the codebase. Only checking validation rules on the first application layer isn’t providing great benefits, whereas verifying logic in and interactions of deeply embedded components is. To extend the amount of covered code, the fuzzer tries to mutate its input in such a way that it passes existing checks and reaches yet unknown code paths.

Application innovation, design, development, quality assurance, and security testing have changed dramatically over the past decade. Engineering teams are leveraging agile development processes, modern cloud platforms, reusable microservices, and extensible APIs, enabling them to shift to more frequent deployments more easily.