Dealing with application vulnerabilities: best practices for security testing

Modern applications and APIs are the backbone of digital innovation, enabling organizations to deliver transformative user experiences, streamline operations, and unlock new business opportunities. Yet, the complexity of today’s application ecosystems—spanning microservices-based architectures, distributed environments, embedded AI functionalities, and fast-moving development cycles—has created a rapidly expanding attack surface for most organizations.

Vulnerabilities, both known and unknown, are emerging at an alarming pace, putting organizations at risk of data breaches, operational disruptions, and reputational damage. To safeguard these systems, it’s imperative to embed robust security testing practices throughout the software development lifecycle (SDLC). This blog examines how organizations can identify and address vulnerabilities, leveraging modern testing technology and strategies that meet the security demands of today’s app and API landscape.

Both the scale and complexity of application vulnerabilities are rapidly escalating, driven by the same forces that fuel innovation. In 2024 alone, 40,077 new common vulnerabilities and exposures (CVEs) were published, averaging over 750 vulnerabilities per week—a staggering 38% increase over 2023.

Web applications remain the preferred target for attackers, accounting for 34% of breaches in 2024. Accelerated development cycles, enabled by CI/CD pipelines, often prioritize speed over security, leading to compressed testing windows that leave critical vulnerabilities unknown. 

These gaps create ample opportunities for threat actors to exploit weaknesses in applications and APIs, resulting in data breaches, service disruptions, and infiltration of sensitive systems. 

As organizations strive to balance innovation with security, a continuous, proactive and comprehensive approach to mitigating these risks has become indispensable in addressing the more volatile and ever-changing threat landscapes most organizations are dealing with today. 

Testing needs to be a critical component of any organization security strategy—serving as the “eyes and ears.” Testing provides valuable information and insights organizations can use to harden code and improve their security posture overall by helping them:

• Map, document, and understand potential vulnerabilities and exploits within their app and API code and infrastructure.
• Test and validate the current state of their security posture (e.g. policies and security controls already in place).
• Harden code with updates/patches and compensating security controls.

Addressing the growing scope and sophistication of vulnerabilities requires a multi-modal testing approach. A layered testing strategy that combines various methodologies ensures that as many risks as possible can be identified and addressed as early as possible across every phase of the SDLC. Some traditional approaches include:

1. Static Application Security Testing (SAST): Solutions focus on analyzing source code to identify vulnerabilities early in the development process without executing code, making them effective tools for catching flaws such as logic errors, insecure coding practices, and syntax issues before deployment. By seamlessly integrating into developer workflows, SAST can help promote secure coding from the outset while supporting continuous testing in CI/CD environments. 

However, SAST solutions have their limitations. They do not identify runtime vulnerabilities or issues tied to third-party libraries and can generate high numbers of false positives, which can frustrate development teams and slow down the pipeline if not carefully managed. This results in extra manual effort to validate and prioritize remaining bugs/vulnerabilities.

2. Dynamic Application Security Testing (DAST): Solutions operate on live (production or simulated live/staging) applications, simulating real-world attack scenarios to uncover security risks that manifest during runtime. DAST excels at identifying vulnerabilities tied to application logic, external integrations, and runtime-specific interactions, making it an essential layer in security testing. 

However, because it focuses on runtime behavior, DAST cannot address vulnerabilities embedded in the source code, and often requires expertise with tedious configuration and tuning to avoid gaps in test coverage or suboptimal results. Despite these challenges, DAST remains a powerful tool for real-world vulnerability assessment.

3. Penetration testing: Penetration testing shines in its ability to provide deep human-led, contextual analysis of an application's vulnerabilities, leveraging skilled professionals to simulate targeted attacks. This often very manual approach is invaluable for identifying sophisticated threats missed by automated tools alone. It helps map and verify vulnerabilities, delivering actionable findings with minimal false positives. 

Nonetheless, the resource-intensive nature of penetration testing often limits its frequency, making it more suitable for periodic or targeted assessments rather than continuous testing. Despite these constraints, penetration testing remains a critical component for any organization’s app and API security efforts. 

There are also many emerging security testing solutions that can complement these traditional methods. These include techniques like fuzz testing, Interactive Application Security Testing (IAST), Runtime Application Self-Protection (RASP), and AI-augmented testing that leverages machine learning to prioritize vulnerabilities, detect anomalies, and streamline the testing process. 

Together with traditional methods, these newer approaches help organizations tackle the evolving complexity and risks of today’s application ecosystems. Organizations should see them as additional tools that can be layered together as part of their app and API security posture throughout the SLDC to keep up with ever-evolving app and API threat landscapes.

To strengthen their application security posture, organizations can evaluate their current testing regime based on these proven best practices:

Embed security testing early and often. By integrating security testing into the SDLC, organizations can take a more proactive approach to app and API security—creating a feedback loop of continuous improvement, uncovering vulnerabilities early, validating protections post-deployment, and transforming application security into a strategic enabler rather than a bottleneck. Identifying vulnerabilities during the design or development phases helps minimize remediation costs and prevents critical security flaws from reaching production. At a minimum, it allows for compensating security controls to be put into place while permanent code fixes are implemented.

Adopt a continuous, multi-layered testing approach. A multi-layered testing strategy is essential for robust application security. By leveraging a combination of solutions and approaches such as SAST, DAST, fuzz testing, and regular penetration testing, organizations can maintain a much more complete picture of their vulnerabilities. Continuous testing helps organizations adapt to the faster, iterative nature of modern app development, providing context-aware insights in near real time to maintain security controls and policies—ensuring apps and APIs remain resilient and adequately protected over time as they change and evolve.

Find tools and processes to automate testing. Integrate testing tools and processes (e.g. SAST, DAST, fuzz testing tools etc.) into CI/CD workflows and look for ways to employ automation and continuous testing as part of the standard development lifecycle to ensure it has as little impact as possible on release pace/output. Plus, automate testing wherever feasible, particularly with the vast scale of modern app portfolios, as it helps scale and ensure rapid identification and remediation of vulnerabilities in fast-paced CI/CD environments.

Foster collaboration across teams. Breaking down siloes between teams (e.g. engineering, development, infrastructure, architecture, security, etc.) is essential. Organizations should find ways to empower developers, engineers, and other core roles outside of security as “security champions” through dedicated training programs, encouraging them to advocate for secure practices within their individual teams. By breaking down siloes and providing ongoing education on common vulnerabilities and their different responsibilities in app and API design, security can become a shared responsibility across the organization.

In an era where apps define and enable most customer experiences, security is not optional. It’s fundamental. By embracing a continuous, proactive and multi-layered testing approach embedded throughout the SDLC, organizations can safeguard their apps and APIs without slowing innovation. 

A layered strategy—with automated tools and strong organizational, cross-team collaboration—ensures that even as apps evolve rapidly, vulnerabilities are understood and can swiftly be addressed so that data is protected and customer trust remains intact.

Keeping an eye on large, complex web apps doesn’t have to be overwhelming. F5 is offering organizations complimentary web app security assessments to help them better understand their current security posture by identifying and addressing vulnerabilities.

See the F5 Distributed Cloud Web App Scanning solution in action and submit a request for a free assessment/trial here. To learn more about the service, check out this solution overview and webpage.