Application Security Testing
Supporting your agency's AST program
Application Security Testing, or AST, is testing, analyzing, and reporting the security level of an application as it moves from early development stages through deployment and maintenance.
An effective AST program incorporates products, services, and solutions that continuously assess and address application vulnerabilities through the entire software development life cycle. An AST program should:
- Reduce the number of vulnerabilities in released applications.
- Mitigate the potential impact of the exploitation of undetected or unevaluated vulnerabilities.
- Identify and address the root causes of vulnerabilities to prevent future recurrences.
- Provide greater insight into the agency’s application security posture.
Successful AST programs go beyond automation — agencies also need to hire cybersecurity experts to manually analyze how government applications work and how they can be exploited. Each agency may have a different approach to their AST program, and GSA's contract options offer a variety of sophisticated tools that statically and dynamically analyze applications for detectable weaknesses.
Buying AST Solutions
Agencies can buy AST products and services through our technology contracts and purchasing programs:
- Multiple Award Schedule - Information Technology
- Governmentwide Acquisition Contracts
- Enterprise Infrastructure Solutions
You can find the services that best align with your AST program needs on this summary sheet [PDF - 228 KB], which provides an overview of AST and related GSA solutions.
Our Application Security Testing buyer's guide [PDF - 879 KB] provides key considerations when implementing an AST program. It also helps agencies identify and procure AST offerings to improve their application security posture.
To make your acquisition experience easier and more efficient, our AST Statement of Work template [DOCX - 38 KB] provides typical language for a cybersecurity solicitation and examples of specific activities and deliverables associated with AST services.
The template aligns with the Highly Adaptive Cybersecurity Services RFQ template, so you can copy and paste information from the AST SOW template directly into Sections 3.0 and 4.0 of the RFQ Template as part of a larger cyber services requirement.
- "Improving the Nation's Cybersecurity" — Executive Order (EO) 14028 directs Federal agencies to advance security measures that drastically reduce the risk of successful cyber attacks against the Federal government’s digital infrastructure.
- “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles” — Office of Management and Budget Memo M-22-09 provides agencies further guidance to improve their application security. Specifically, it charges agencies to operate dedicated AST programs and utilize high-quality firms specializing in application security for independent third-party evaluation.
- “Recommendations for Mitigating the Risk of Software Vulnerabilities” — National Institute of Standards and Technology Special Publication 800-218 provides a core set of high-level secure software development practices that can be integrated into each SDLC implementation.
- “Guidelines on Minimum Standards for Developer Verification of Software” — NIST Internal Report 8397 describes recommendations for software verification techniques and additional information about the techniques with references for further information.
- “Technical Guide to Information Security Testing and Assessment" — NIST Special Publication 800-115 assists organizations in planning and conducting technical information security tests and examinations, analyzing findings, and developing mitigation strategies.
- “Develop and Publish a Vulnerability Disclosure Policy" — Cybersecurity and Infrastructure Security Agency Binding Operational Directive 20-01 directs agencies to publish the status of vulnerabilities listed in a Vulnerability Disclosure Policy. CISA BOD 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities” requires agencies to identify and address known exploited vulnerabilities within a defined timeframe.