As applications have evolved to become more complex and distributed, the security effectiveness of traditional applications has lagged behind in several critical areas, including eliminating vulnerabilities during software development, monitoring risks related to open source software (OSS) and post-development application protection. This makes the enterprise software factory more vulnerable than ever. It’s no wonder that web application attacks are up 56% year over year. In addition, we are seeing an increase in attacks against software vendors and the supply chain, as well as an increase in targeted threats to cloud native application infrastructure.
Choosing an effective application security testing solution should be based on the specific requirements of modern software, operate anywhere in the software development lifecycle (SDLC), and focus on discovering and testing vulnerabilities in addition to fixing them. Core features include criteria for vulnerability identification, software composition analysis, runtime protection, and compliance, among others. This document is intended to serve as a template for requests for proposals (RFPs) or application security vendor selection projects.