Procuring an Application Security Testing Partner
                     eGuide: Procuring an Application 
Security Testing Partner
HCL AppScan
Summary
We live in an era of digital transformation. 
Businesses around the world are using digital technologies to create Data breaches cost companies 
new employee cultures, business processes and customer experiences 
that reflect rapidly changing business and market requirements. The on average $4.35 million.
exponential growth of remote work, cloud computing, online banking and 
shopping, and so many more web-based services is unprecedented. 
And with all of this has come unforeseen vulnerabilities, threats, and crime.
Identity theft, data breaches, hacking, etc. are all common news stories 
today and businesses have a lot to lose. In a 2022 Cost of Data Breach 
Report by IBM and the Ponemon Institute Report, data breaches cost 
companies on average $4.35 million.
To avoid these monetary and reputation costs, companies are increasingly 
purchasing application security testing software that can assist with 
scanning and fixing vulnerabilities in application code so that they can 
more effectively secure their data.
This eGuide provides valuable insights into procuring an application 
security testing partner including gaining an understanding of use cases, 
critical technologies, and best practices.
eguide: Procuring an Application Security Testing Partner 2
Table of Contents
04 | Introduction: Choosing the 09 | Considering Cost
 Right Solution
 
 10 | Finding the Right Vendor 
05 | Application Security Today  
 
11 | Setting Expectations
06 | Application Security 
Testing Technologies – a 
Quick Introduction 12 | Conclusion
 
07 | Choosing the Right 
 Technology and Platform 13 | About this e-Guide
 
 
08 | Additional Features and 
Strategies
 
eguide: Procuring an Application Security Testing Partner 3
Introduction: Choosing the Right Solution
Application security testing encompasses a broad array of technologies, 
platforms, and services, all used to find and fix the vulnerabilities in 
application code. Choosing the right solution depends on many factors. Solutions must balance 
It is important to determine who will be responsible for securing the the needs of development 
applications and their code, when this is best done to ensure effectiveness 
and efficiency, and what the guidelines need to be when implementing a speed with effective 
testing and remediation program. application security.
Choosing which technology or suite of technologies to use is based as 
much upon how they work as who will be using them, and at what stage in 
the application development life cycle. 
Educating stakeholders about potential security threats and setting 
expectations about costs is critical, as is considering both short and long-
term strategies that account for growth and change.
Gaining an understanding of all these factors puts organizations in a 
better position to choose the right application security testing partner with 
the right solutions for its business needs.
eguide: Procuring an Application Security Testing Partner 4
Application Security Today
Culture Developers, as previously noted, are being 
Security-focused companies that develop asked to analyze their code as they write When considering 
web applications are finding ways to it. DevOps teams now continuously test application security testing 
prioritize application security as early as and analyze applications throughout 
development and implement policies needs, ask the following possible in the application development life questions:
cycle. This is referred to as “shifting left” and and checks and balances to reduce 
increasingly places more responsibility for vulnerabilities. Overseeing policy, pen 
security on developers. testing, and providing one more layer of 
• Where is my  
expertise are security analysts. In charge business risk? 
Application security testing software helps of all security is the company’s CISO (Chief 
developers write secure code without Information Security Officer). • Is my private sensitive 
slowing down the speed of delivery. It data exposed by apps? 
helps DevOps teams and security teams Companies should be able to identify all 
review and test both the code and the their application security stakeholders • How do I set internal 
completed applications to ensure there are and make sure that the software solutions policy requirements for 
no vulnerabilities. they choose allow everyone to work application security?
together successfully.
“Shifting left” and prioritizing application 
security as soon as possible is key to success in Policy • How do I check for 
reducing business risk. As the need for security and privacy and demonstrate application 
Security Stakeholders have increased, so have government 
and industry regulations, designed to compliance?
Application security that was the hold companies accountable for the 
domain of third-party security experts in data they handle. It is important that the 
the past is increasingly being handled application security solutions one uses 
in-house by companies that develop can incorporate both external and internal 
their own applications. security policy requirements. 
eguide: Procuring an Application Security Testing Partner 5
Application Security Testing  
Technologies – a Quick Introduction
SAST (Static Application Security Testing) SCA (Software Composition Analysis) 
SAST analyzes an application from the “inside out” in a SCA automatically locates and analyzes open-source 
nonrunning state by reviewing each line of source code software and packages that have been incorporated 
for security vulnerabilities.   into an application’s codebase.
DAST (Dynamic Application Security Testing) API TESTING (Application Program Interface) 
DAST is used to run a variety of tests on running API Testing sends requests to program interfaces in 
applications to identify potential security vulnerabilities order to check their security, functionality, performance, 
and architectural weaknesses. and relability.
IAST (Interactive Application Security Testing) 
IAST monitors web applications for security 
vulnerabilities while the application is run by an 
automated test, human tester, or any activity 
“interacting” with the application functionality.
Since each technology scans for vulnerabilities differently, they are often best used 
together to ensure not only that vulnerabilities are found, but also to validate fixes, 
and correlate results to prioritize more easily what needs to be fixed.
eguide: Procuring an Application Security Testing Partner 6
Choosing the Right Technology and Platform
Technology Platforms
The scanning technology or combination of On-Premises. These are desktop solutions where one 
technologies that is chosen is influenced by the or more security testing tools are downloaded and 
development environments and integration models used locally by developers, DevOps teams, and security 
that are used. teams. A provider might offer a single technology or 
For developers, finding a SAST technology that will provide a suite of technologies to use together. Some 
function seamlessly with a preferred IDE (Integrated industries have regulations requiring on-premises 
Development Environment) is critical, since this is security solutions.
where they are already working most efficiently. On-Cloud. These security testing tools are available 
For DevOps and security teams using a traditional by logging into a cloud server and can be accessed 
waterfall software development life cycle, SAST is again from anywhere. Again, providers may offer one or more 
an important option, but DAST technologies testing technologies that can be used together or separately. 
running applications can also be used to validate fixes. On-Cloud platforms often allow the security partner or 
third-party security teams to monitor the testing and 
Since IAST monitors and provides feedback on running remediation efforts more easily.
applications without slowing development time, it is 
favored more in both Agile development environments 
and in those using a continuous integration/continuous 
delivery (CI/CD) model.
The ideal application security solution 
SCA is another technology often used in CI/CD 
pipelines or wherever there is both a focus on speed of should complement a development model 
delivery, and where there are numerous open-source and working environment.
packages that have been incorporated and need to be 
tested prior to release. 
eguide: Procuring an Application Security Testing Partner 7
Additional Features and Strategies
A Simplified User Experience Oversight and Compliance Scalability
In some cases, a single technology A centralized dashboard also helps Purchasing a single application security 
may handle many specific testing maintain accurate oversight of all scanning technology may make sense 
requirements, but since each testing tool the application security testing an in the short term. But as a business 
scans differently, using two or more often organization is doing by increasing grows and development cycles move 
leads to more confidence in the findings. visibility and accountability. It allows faster, there will be more code to scan 
Look for a partner whose platform security teams to create automated in shorter amounts of time. It is thus 
includes a centralized dashboard and testing guidelines based on both threat important to consider a partner that 
control center where all results can be modeling and compliance policies. can offer what is needed today and 
viewed together so that it is easier to anticipate future needs, as well.
prioritize which issues to fix first.
eguide: Procuring an Application Security Testing Partner 8
Considering Cost
Cost versus Risk Cost versus Time and Resources
Depending on the size of development needs, the Because much of the application security testing 
cost of application security can vary greatly. When technology today can be used to automatically run 
convincing the CFO of an organization that this type of tests and correlate results for easier remediation, 
expense is necessary, it is worth considering the cost purchasing these tools can amount to a significant 
of doing nothing from a risk perspective. According savings in time and resources. 
to the 2022 Cost of Data Breach Report by IBM and In a recent Forrester Total Economic Impact Report, 
the Ponemon Institute Report, data breaches cost published in 2022, a Brazilian financial institution saw 
companies on average $4.35 million.  a 151 percent Return on Investment (ROI) when they 
switched from manual, third-party application security 
testing to using an automated software solution. Much 
of this ROI was based around time savings. Prior to 
the switch, the company reported that finding and 
remediating an application vulnerability was taking up 
to 120 hours (five days).
eguide: Procuring an Application Security Testing Partner 9
Finding the Right Partner
An application security testing partner should do more than 
just sell testing software. There are several additional factors 
to consider in making a decision:
Technology Ownership Research Teams and Ongoing Development
Look for a partner that owns and develops their own Be sure to choose a provider that is actively engaged 
proprietary application security software. While some in ongoing security research. Their commitment to 
companies have purchased security technologies finding vulnerabilities ahead of time and building that 
to sell as their own, companies that develop their knowledge into an organization’s tools are critical to 
own software often provide suites of solutions that staying out in front of threats.
work better together and are quicker to release new 
versions that stay current with security trends and Education and Support
threat models. Look for not just a vendor but a partner that offers 
education, technical support, and potentially 
Demos, Free Trials, Support customized solutions that address the specific security 
If interested in a technology solution, several needs of a business.
companies provide demos and free trials. And, in some 
cases, there are free versions of the software available Third-party Reviews and Analyst Reports
for certain segments of the market. There are several reputable technology research and 
consulting firms that publish regular reports on the 
application security landscape and the companies 
providing these services. Gartner, Forrester, and IDC are 
a few examples.
eguide: Procuring an Application Security Testing Partner 10
Setting Expectations
Speed versus Security Time and Human Resources Defining a Security Baseline
The more seamlessly application security Automatic application security scanning It is common for companies to discover 
testing can be added to a development will undoubtedly save an immense an overwhelming backlog of security 
pipeline the less the whole development amount of time and money but there vulnerabilities once they begin an 
life cycle is slowed down. Balancing is some necessary investment up automatic testing program. Prioritizing 
the needs of development speed and front as things are set up. Establishing fixing all those old issues may not make 
application security requires software policies, determining security roles and sense, especially since they have not yet 
that can orchestrate testing protocols, responsibilities, and fine-tuning the led to a security breach. Often, a better 
correlate results, and help prioritize technology to do what is needed to do, policy is to work to secure all new code 
which issues to fix. are all necessary parts of the process. going forward and address the backlog 
as a secondary priority, as time and 
opportunity allow.
All security stakeholders need to have a shared set of 
expectations regarding time, speed, and resources to 
implement application security effectively.
eguide: Procuring an Application Security Testing Partner 11
Conclusion
Application security testing software helps companies Understanding the main types of application security 
that develop their own web applications reduce testing technologies available and where each 
costs, avoid risk, and avert potentially damaging data integrates best into the software development life 
breaches. These products, platforms and services assist cycle is critical. Each tool has different strengths and 
with scanning and fixing vulnerabilities in application there can be benefits of using more than one such as 
code before web applications reach the market. To validating vulnerabilities to be fixed.
choose the right software solutions for a business, 
focus needs to be on three fundamental areas. Organizations need to consider the size, history, and 
expertise of the vendor as well as their commitment 
Organizations should develop a comprehensive to research and innovation. Ideally, an organization 
security picture, the people and culture that make it should want an application security partner that not 
up, and the application development model that they only provides testing software, oversight, reporting, 
intend to use. Additionally, they need to decide who and easy-to-use platforms, but is also committed to 
will be responsible for application security testing onboarding, continuing education and training.
and who benefits most from the use of these tools. 
Organizations should also determine the policies that Securing application code before it reaches the market 
need to be followed and whether company growth is is a crucial step to reducing business risk. Procuring the 
anticipated. right application security testing partner for a specific 
business is a major step in accomplishing this goal. 
eguide: Procuring an Application Security Testing Partner 12
About this eGuide
HCL AppScan is a scalable suite of security testing platforms and tools 
including SAST, DAST, IAST, and SCA, available on-premises and on 
cloud. HCL AppScan technologies detect pervasive application security 
vulnerabilities during development and facilitate remediation before the 
software is deployed. Developer-focused advisories and language specific 
code samples empower developers to remediate vulnerabilities and instill 
secure coding practices. Comprehensive management capabilities enable 
security professionals, developers, DevOps, and compliance officers 
to continuously monitor the security posture of their application and 
maintain compliance with regulatory requirements. 
For more information, visit hcltechsw.com/AppScan
Copyright © 2022 All rights reserved. No materials from this report can be 
duplicated, copied, republished, or reused without written permission from 
HCL Tech, Ltd. The information and insights contained in this report reflect 
research and observations made by HCL Tech, Ltd.
eguide: Procuring an Application Security Testing Partner 13