Ready to Change the Way You Approach Application Security?

Our methodology supports a manual process to in-depth security testing. What does that mean? Well, real humans, with real-world experience "thinking like a hacker" are the ones that are searching for vulnerabilities in your technology that can be exploited. Hackers are people--not scans, or machines. The strongest defense companies can have to secure their tech is to have a team of experts to discover your weaknesses before hackers exploit them.

You don't know what you don't know. Vulnerabilities exist and can be found and fixed collaboratively by your team working with security experts like ISE, or attackers can find them and exploit them. Scans and more automated, less expensive security testing methods might discover the bare minimum, but the fact is that attackers are going to discover what provides them the biggest payload--and that won't be found in scans. Testing at the bare minimum leaves a level of risk that can't even be measured until you know what vulnerabilities exist and the severity of them.  

Dynamic manual testing to extract assets and document all vulnerabilities possible within budget will provide the most robust testing. ISE's approach is a hybrid of both a vulnerability assessment--which provides a lot of coverage but not always a lot of depth--and a pentest which has an incredible amount of depth but tends to be narrow in scope.

 

The short answer is frequently. People tend to follow these inappropriately long timelines because somehow the idea of “annual” testing has become a commonly referenced idea. However, the world changes rapidly, especially when it comes to technology — this inherently changes your security posture since your last round of security testing. Furthermore, attackers are evolving at a relentless pace — if you aren’t reassessing your security often enough, it’s only a matter of time before they have the advantage. 

Security is an ongoing process: you’ll need to regularly reassess your system for vulnerabilities. If you want to do it right, though, cadence matters. The right reassessment interval for most apps is every three to six months. 

 

Here’s the harsh reality, though: the less you invest, the less it returns. When you cut costs too far, you prevent outcomes that help you get better. Achieving your security mission is going to cost you time, effort, and money. There is no way around that. When those investments get cut to the bone, what’s really reduced is your ability to succeed. 

The trick to successful application security lies in finding that magical balance where you uncover useful issues without investing too much or too little. We call this the Goldilocks Principle--the sweet spot between yearly cost and effort and the useful issues discovered. 

While a slim margin of companies can overspend on security, the vast majority fall into the category of understanding. Why? Security is often viewed as a “tax” on the business. Companies want to minimize any kind of tax, and so they try to cut security spending inappropriately. However, most people don’t realize that when you cut costs, what you actually cut is effort.

As a ballpark estimate, to do application security testing right is probably going to cost $30,000 to $150,000 or more per year, per application. Some cost far more than that. 

Security isn’t cheap because it’s not easy, it requires a unique skill set, and it takes effort. 

However, doing security right is worth the price. 

The reports written by the testing team can be shared! After the testing work is complete, having an actionable deliverable will show your team how to fix the issues, but then also be documented proof that thorough testing was carried out. These reports should indicate remediation and status of found issues so that both vendors and customers have assurance on the diligence of the products' security testing.

One of the best methods for training engineers is that of hands-on lab experience. At ISE, we call this a Hackalong workshop. The workshop provides a lab environment for engineers to hack alongside security analysts for hands-on learning for practical security concepts. The dynamic workshops can explore software, webapps, hardware, and more. 

We've found that when searching for the right security partner, companies should look for three things:

1. Consulting services are a must. If these aren't being provided, then you're receiving just the bare minimum.

2. They employ specialists. There should be a team of security experts on staff who are dedicated to researching custom solutions to your problems. Beware of companies that rely on crowdsourcing expertise or contract out specialists.

3. High cumulative experience of in-house talent. The right partner offers an in-house team of talent that has years of experience in finding vulnerabilities in a diverse set of technologies. This experience allows them to pull from what they’ve seen with so many other apps and technologies that they can apply that expertise of experience immediately to your needs.