Application developers have traditionally (and perhaps rightly) prioritised functionality over security at whatever stage of the Software Development Lifecycle (SDLC) they have been involved in, and whatever model methodology that has been used – Waterfall, Iterative, Spiral, V-Model, Big Bang, Agile, etc.
Static application security testing (SAST) and dynamic application security testing (DAST) have their relative merits and drawbacks, but even when combined within complementary white box <> black box testing environment, they rarely identify all security vulnerabilities.
Keeping up with evolutions in attack vectors once an application has been fully deployed is also something that neither method has the capability to address without coding changes and patches being applied.
At FullProxy, in lieu of application code and the native supporting infrastructure ever being fully free from vulnerabilities, we believe that application security needs to include (a) protection from HTTP and HTTPS specific attack vectors that NGFWs cannot provide, (b) protection of cryptographic security keys through dedicated hardware rather than application software, and (c) methods that provide assurance that applications will always be available whenever they are needed.
To this end, please take a look at the following specific application security solutions that we feel comprehensively address all of these areas.