Safety is not a luxury
If you’re like me, you’re probably sick of seeing phrases like “in these uncertain times” or “due to the current situation” everywhere since Covid began. So to start with a quote from Simon Sinek: all times are uncertain. Yes, the global economy is on a downward trend; yes, the geopolitical instability is the greatest for many decades; and yes, cyberattacks are relentlessly accelerating to take advantage of the chaos. These are no longer uncertain times but the new realities of life, so organizations must adapt and move on – which means not only keeping an eye on their costs, but also minimizing security risks.
As customers told us at this year’s show RSA Conference, businesses are fully aware of the need for web application security – now the only question is how to do it. It wasn’t too long ago that AppSec was treated as an asset that could be put on hold in tougher times, and we’ve certainly seen plenty of that during the Covid downturn. The current economic downturn, however, is expected to last for years, so waiting for it is not a realistic option. Realizing this, organizations are reframing their approach to application security, looking for ways to stay secure over the long term despite tightening purse strings. For many, this means reducing security while making it cheaper and more efficient.
Separating security testing from development is expensive
The idea that security is something you can simply strengthen comes from the world of on-premises networking, where tight perimeter defense based on firewalls has always been the most secure approach. But there’s no way to build a tight perimeter around a web application, especially as technology stacks and deployment models are rapidly changing and becoming more distributed in cloud environments. Although Web Application Firewalls (WAFs) exist and should be part of any AppSec toolkit, their purpose is to block specific attacks and give you time to fix an underlying vulnerability, not to serve as the main line of defense. The best way to minimize long-term security risks is to provide apps with no known vulnerabilities, which means lots of testing.
The days of relying solely on external penetration testing for your application security are more or less over, especially in large organizations that build and run their own software. Typically, internal security teams are responsible for running and maintaining various security testing solutions, triaging security issues, and monitoring remediation efforts. Too often, the same teams also deal with network and system security, with routine application security testing inevitably taking less priority than day-to-day firefighting.
Keeping security testing separate from development makes running tests and fixing security flaws slow and expensive, even assuming your application security testing tools don’t generate additional work in the form of false positives. Coupled with internal friction and delays due to ineffective communication between developers and security engineers, this can reinforce the misconception that security is an anchor for innovation and a cost center for business. company. Besides the worrying fact that this leads development teams to skip some or all security tests when time is of the essence, it also puts safety first when budget holders hand out cost reductions.
Make security a sustainable part of software quality
With all of this in mind, many organizations are now faced with a dilemma: they can no longer afford to continue providing application security as they once did, but neither can they afford to stop. to do so and risk a data breach (or worse). The answer is to stop viewing application security as a step in your workflows and treat it as an inherent aspect of software quality, no less important than performance, functionality, or usability. This way, you can integrate it into the development pipeline and automate it for maximum workload and cost efficiency.
You could say that sounds a lot like a move to the left, and you wouldn’t be far off the mark – except dev-only testing isn’t enough, especially when it comes to static analysis which can’t cover runtime vulnerabilities. To truly embed security testing across the entire software development lifecycle (SDLC), you should test at all stages, from development to production, and also do so with a quick and permanent fix in mind. In practice, this makes dynamic application security testing integrated and fully automated (DAST) the only realistic way to cover your entire web attack surface continuously and with a predictable budget.
Simplifying and automating AppSec efforts is also critical to building DevSecOps processes that eliminate rigid internal roles and divisions between development, security, and operations. In this context, having a reliable security testing platform that feeds directly into development with little or no input from security experts allows security flaws to be resolved like any other software bug without blocking the entire pipeline. Having and encouraging security champions on your development teams is another way to distribute security expertise throughout the organization and make secure development an inherent part of your workflow rather than a expensive speed bump.
5 ways to save with Invicti
So that’s the theory, but let’s see how centralizing and simplifying your web application security testing with Invicti Enterprise can lead to measurable cost savings. While this isn’t the only possible approach to streamlining your AppSec efforts, it’s the one we’ve seen work in practice for thousands of organizations. Of course, avoiding the potentially crippling costs of a major breach and downtime is the most obvious financial benefit of maintaining a strong security posture, but there are at least five ways Invicti can help you save money more directly:
- Less tedious work with streamlined workflows: Act on accurate results supported by evidence-based scanning to reduce time wasted on manual review and triage. Automate everything you can so your experts only do manual work where it really adds value.
- Centralized security testing and visibility: Use a DAST-based solution as your AppSec command center and add extra depth with interactive application security testing (IAST) and software composition analysis (SCA) as needed for a mixed approach. Integrate with popular issue trackers and collaboration platforms to combine or replace multiple tools and processes.
- Quick payback: See measurable security improvements in days, not months, while improving long-term security with step-by-step remediation guidance and new automated patch testing. Easily demonstrate the effectiveness and value of your C-suite application security program.
- Integrate security into routine development work: Run scans, create developer tickets for security flaws, and fully track remediation across your development teams to address the vast majority of common vulnerabilities without involving the development team. security. Eliminate the security bottleneck by spreading the load across your much larger development teams.
- Best value for money with penetration testing and bug bounty programs: find and eliminate many typical vulnerabilities in-house at no extra cost so that penetration testers and bounty hunters can spend their expensive time identifying and point out more advanced issues that really require human expertise.
More importantly, you can rest easy knowing that you’re improving your security every day while making the best use of your limited resources. In these continually uncertain times, AppSec streaming is your best bet.
The post office Beat Application Security Cost Reductions in Continually Uncertain Times appeared first on Invicti.
*** This is a syndicated blog from the Security Bloggers Network of Invicti written by Zbigniew Banach. Read the original post at: https://www.invicti.com/blog/web-security/web-application-security-cost-cutting/