Applications support organizations’ most strategic business processes and access their most sensitive data. Yet application security continues to receive less budget and attention than network security.
Why? It can’t be for lack of awareness. Weekly headlines remind security experts and business leaders alike that hackers seeking to break into organizations target applications.
As Forrester’s The State of Application Security, 2019 reports, “Application weaknesses and software vulnerabilities continue to be the most common means by which cybercriminals carry out external attacks.”1
So when a company hesitates to implement or expand its application security program, what are its leaders really thinking?
Lack of time, skill shortages, limited budget, and the mandate to deliver as fast as possible are indeed hurdles— more on that shortly. But the irony is that if your organization suffers a breach, you’ll spend more time and money on response and recovery than you would have spent on improving security to avoid the breach. And that doesn’t even count the possibly catastrophic cost of brand damage.
So the reasons above are not so much reasons as they are excuses—risky excuses.
While application security has improved in the past five years, 82% of reported security vulnerabilities still lurk in application code,2 not in networks. The conclusion is obvious: To lower risk, you must address application security.
So the question is this: How can you lower application-related security risk while keeping costs in line and maintaining high productivity?
The answer is managed services. With managed services, you can outsource security activities to a team of skilled experts, armed with the latest methods and tools, who will perform the testing services you need as soon as you need them.
According to a 2019 survey by Continuum, 77% of small businesses expect to outsource at least half of their cyber security needs within the next five years.3
What do those companies know about the path to proactive application security? Let’s find out. Here are six common hurdles you might encounter on the way to better application security and how managed services can solve them.
If you’ve attempted to hire security experts lately, you know it’s not easy. Consider the following:
Beyond those depressing statistics, your new expert will need to have deep knowledge in multiple domains, with more to learn as your software security program evolves. Here are just the basics:
Depending on your environment, you might need someone with expertise in areas ranging from malware to threat mitigation, cryptography, forensics, advanced analytics, network virtualization, cloud security, and mobile security, as well as industry-specific knowledge.
Plus, your new expert must have the soft skills needed to perform a demanding, time-sensitive, highly cooperative job: communication, management, reporting, and so on.
That’s a lot to ask of any person. Given all that, you’ll probably have better luck finding a unicorn. And if you do find an expert, it’ll cost you.
The shortage of available talent for cyber security positions has caused their salaries to skyrocket. In 2018, information security analyst salaries averaged $98,350, and the top 25% made nearly $127,000.4 Add the cost of benefits and overhead (about 43% of wages and salary in the private sector 5 ) and you’re looking at a major investment for a very specific skill set.
You’ll also need to invest in training to make sure your new security expert stays up to speed. Roughly half of organizations plan to increase cyber security training for staff in 2020.6
And after all that, the risk remains that this rare creature will be lured away by a job with even better pay and benefits. More than half of companies report that it takes three to six months, or even longer, to fill open cyber security positions.7 Furthermore, research suggests that the conservative cost of replacing an employee is 34% of their annual salary ($15,000 at the median U.S. wage of $44,564).8
A managed services partner provides the expertise you need when you need it, from secure architecture to business logic testing, threat modeling, and mobile security. Rather than hire full-time specialists in each of these areas, you can simply draw on them as needed.
Besides that, a managed services team doesn’t require that you pay them benefits, and they come with their own workspace and set of tools. Most importantly, the team can work on multiple tests and projects at once.
Finally, bringing in a managed services team frees up your employees to work on other high-priority projects even when emergencies arise. Again, you pay only for the people and tools you need when you need them.
Hackers look for the easiest way into your organization. Unfortunately, your limited internal resources might not have the time, skills, or tools to identify all the paths hackers have access to, even if you’ve been testing your applications regularly.
Attackers also like to exploit vulnerabilities in legacy code. When your developers reuse code that has been in circulation for decades, they may unwittingly inherit its technical debt, which includes security bugs and flaws.
Consequently, your testing policy must cover your full portfolio. You need to investigate both existing applications and those currently under development, including web, mobile, and client-server applications that your team developed, as well as those you license from third parties, such as middleware or software-as-a-service (SaaS) tools.
Don’t let a lack of capacity dictate your software security policy. Managed services can help you eliminate testing gaps by covering the breadth of your portfolio, while adapting testing depth to match the technical and business risk of each application.
Your testing demand is always the same, right?
Of course not. If you’re like most companies, you struggle with “lumpy” demand for testing. It rises, it falls.
The most common cause of lumpy demand is an uneven rate of new applications coming out of your development group. Most companies no longer follow a fixed-release schedule. Instead, continuous integration and continuous delivery (CI/CD) has essentially become mandatory for organizations to stay competitive and meet customer demands. And each of these continual feature releases carries a different level of technical risk and business impact, which an application security program must be able to accommodate.
But using internal-only application security testing to meet lumpy demand can be difficult and costly. Many organizations find they have too few staff during busy times or too many skilled (and well-paid) employees sitting around during slow times—or both.
Managed services can be a lifeline for companies with uneven testing demand. Once again, it provides what you need when you need it—the flexibility to call in the cavalry and then, depending on demand, call it off again.
Not only are you dealing with a lumpy release schedule, but your business is also evolving quickly. Your security team needs to keep pace.
Are you prepared to respond if any of these things happens?
If demand spikes without your having a full application security team on hand, you’ll be scrambling to test and clean up code—or worse, to deploy patches to software that’s already in the hands of users.
An established managed services partner can help you respond quickly to new types of business or technical challenges. That partner will already know your systems and priorities and can hit the ground running. There’ll be no need to waste time hiring, onboarding, or training.
Over the past few years, the dynamic and static analysis testing space has become crowded, and automated testing tools have become more sophisticated. Their ability to identify common coding errors at scale has never been better.
But there’s still a problem: A software testing tool is not a guarantee of reduced risk.
The reality is that each security testing tool has different strengths, and no tool catches everything. If budget and resource limits restrict you to using only one or two security testing tools, you might miss critical vulnerabilities. What’s more, without the capacity to replicate and confirm findings, you might spend countless hours chasing false positives.
But the same testing tool in the hands of a security expert with decades of experience might yield more accurate results than your internal team could. It’s well worth finding out if that’s true.
External testing partners have access to a myriad of best-of-breed testing tools. So not only can they choose the best testing approach for a specific type of application and risk scenario, but they can also compare results across tests, combine findings, and reduce false positives.
Because they work at scale, managed services providers follow a consistent process that is repeatable, test after test. Therefore, their results are more accurate and predictable.
One caveat: Some managed service providers also sell their own testing tools, which might mean they’ll lock you into using that tool, regardless of its limitations.
So if you want to use a specific tool for consistency, make sure that your managed services partner can incorporate that tool into their execution plan, and that they plan to use multiple tools to get the best results.
To protect applications that manage business-critical functions or access sensitive data, running a standard set of automated scans is not sufficient. You need expertise to execute in-depth manual tests and interpret results.
Application security changes constantly. New threats and attack vectors emerge, and new regulations ramp up compliance requirements. Your testing and prevention strategies need to keep up with those changes.
An expert managed services partner is versed in the latest compliance requirements and emerging threats, as well as the most effective remediation strategies.
That partner will go beyond automated scans to perform in-depth manual tests, including multistep penetration scenarios and targeted explorations with your business logic in mind.
Most importantly, expert managed services providers will interpret both automated and manual test results and help you fix the vulnerabilities they find. By providing detailed reports and read-outs, they can transfer their knowledge to your team so that you can keep learning and improving.
Once you find a managed services partner that can help you overcome the hurdles of fixed capacity and limited skills, you can reclaim your staff and reinvest their time.
You could leave run-of-the-mill testing of your broad portfolio to your partner and focus your internal team on more specialized tests or high-profile applications.
Or you could let your partner handle all application security testing, while you focus on high-level management: improving internal processes, motivating stakeholders, communication, education, and long-term planning.
Either way, choosing a managed services partner will allow you to be more agile in creating a flexible, forward-looking software security strategy and responding to the unpredictable, ever-evolving security threat landscape.
Now that you’ve determined that managed services is the best solution for your application security needs, it’s critical to find the right partner.
Learn about the 10 most common web and software app vulnerabilities
Download the reportLearn how to gain visibility and secure your apps across the enterprise
Download the white paperGet the trends and recommendations to help improve your software security program
Download the reportThree steps to consolidate your effort, insight, and tools
Download the guide