The issue of price is very difficult when it comes to security testing. After all, how to assess its ROI?
That’s a huge challenge indeed. Security testing industry taught companies how to make investments, but hasn’t really focused on efficiency of those investments. If you pick your battles smart, you can achieve much better security posture than your competition, so let’s dig into this and see what could be done better, to achieve greater results at the same or even lower cost.
Simply hiring external penetration testers doesn’t cut it anymore. Software engineering processes have changed significantly so using just penetration tests is not effective and basically every company is doing it, so it’s hard to differentiate that way. If you truly want to go an extra mile, if you want to win trust of your customers, you have to put in the work, because your competitors aren’t that much behind. Lots of businesses these days are aware about the need for security investments, but most of them can’t get it right.
Everything in business should be driven by proper risk analytics
But to effectively manage risks, you need to know the costs of remediations and all the alternative paths. Only with a wide context you can make a good judgment on your risk profile.
Security Assurance is expensive, but doesn’t need to be THAT expensive.
You have probably heard about things such as penetration testing, vulnerability assessments and bug bounties. These things are all over the place and it’s hard not to hear about them. But it doesn’t mean you should go after these things, before there is a couple of other things that can have higher and long-term ROI for you.
Let’s consider the most common phases of SDLC, which are planning, requirements analysis, design, development, testing, implementation and maintenance. Conventional penetration tests can be performed in the last three ones, namely during testing, implementation and maintenance.
Security testing done in a smart way
If you engage in security activities in the internal testing phase(5), you’ve already skipped 4 stages where you could identify flaws and fix them at a lower cost. Many companies actually hire pentesters to test products deployed in production, thus skipping 6 phases of SDLC.
Across all companies we’ve worked with, we notice following requirements:
• they need to have software built fast
• they need to have software tested and stable
• they need to have product in front of customers
• as soon as possible products must be developed
• even when engineers are tired and distracted.