How to make security testing more cost-effective

Dec 17, 2018 | Guide

The issue of price is very difficult when it comes to security testing. After all, how to assess its ROI?

That’s a huge challenge indeed. Security testing industry taught companies how to make investments, but hasn’t really focused on efficiency of those investments. If you pick your battles smart, you can achieve much better security posture than your competition, so let’s dig into this and see what could be done better, to achieve greater results at the same or even lower cost.
Simply hiring external penetration testers doesn’t cut it anymore. Software engineering processes have changed significantly so using just penetration tests is not effective and basically every company is doing it, so it’s hard to differentiate that way. If you truly want to go an extra mile, if you want to win trust of your customers, you have to put in the work, because your competitors aren’t that much behind. Lots of businesses these days are aware about the need for security investments, but most of them can’t get it right.

Everything in business should be driven by proper risk analytics

But to effectively manage risks, you need to know the costs of remediations and all the alternative paths. Only with a wide context you can make a good judgment on your risk profile.

Security Assurance is expensive, but doesn’t need to be THAT expensive.

You have probably heard about things such as penetration testing, vulnerability assessments and bug bounties. These things are all over the place and it’s hard not to hear about them. But it doesn’t mean you should go after these things, before there is a couple of other things that can have higher and long-term ROI for you.
Let’s consider the most common phases of SDLC, which are planning, requirements analysis, design, development, testing, implementation and maintenance. Conventional penetration tests can be performed in the last three ones, namely during testing, implementation and maintenance.

Security testing done in a smart way

If you engage in security activities in the internal testing phase(5), you’ve already skipped 4 stages where you could identify flaws and fix them at a lower cost. Many companies actually hire pentesters to test products deployed in production, thus skipping 6 phases of SDLC.

Across all companies we’ve worked with, we notice following requirements:

• they need to have software built fast
• they need to have software tested and stable
• they need to have product in front of customers
• as soon as possible products must be developed
• even when engineers are tired and distracted.

 

Powiązane artykuły

Gearing up for safe remote work

Gearing up for safe remote work

Mar 27, 2020 | ,

Given the current COVID-19 pandemic, many people are considering working from home. Some of them will probably take home a business laptop, which has been prepared by the IT Department. From a cybersecurity standpoint, this is the best option: the employee takes home...

How CEOs fall victim to hackers. The example of Jeff Bezos

Feb 24, 2020 |

The 2013 Edward Snowden publicly confirmed something, which many of the IT experts were suspecting for years: the fact that an average computer makes for an excellent tool for spying on us. The media storm ensued.  Soon afterward, a flurry of privacy-oriented products...

Encrypted e-mail for private use. All you need to know

Encrypted e-mail for private use. All you need to know

Jan 29, 2020 |

During one of the online seminars conducted by CyberForces and Xopero on the topic of Internet security and social engineering, numerous attendees asked me to outline how encrypted e-mail works and how can one start utilizing it in their day-to-day operations. Since...