A managed services partner should do more than run the tests you choose. The right partner will work with you to shape your application security program.
If your firm has attempted to hire internal security experts lately, you know they’re few and far between:
Companies often look for a range of skills, including malware, threat mitigation, cryptography, and forensics, as well as industry-specific knowledge, cloud and mobile security, advanced analytics, and network virtualization. That’s a lot to ask of any single expert. Add to that list the soft skills needed to do the job (communication, management, reporting, etc.), and you might as well be searching for the Loch Ness Monster.
The shortage of these positions has caused their salaries to skyrocket. So even if you do find this elusive Nessie, it’ll cost you. Adding up the cost of salary, benefits and overhead, and training to make sure your new security expert is up to speed, you’ll see it’s quite an investment for a very specific skill set.
There is still the risk that this rare creature will be lured away by a job with even better pay and benefits, leaving you high and dry. More than half of companies report that it takes three to six months, or even longer, to fill open cyber security positions. And research suggests that the conservative cost of replacing an employee is 34% of their annual salary.
Depending on a small internal team of highly skilled security gurus often leads to all your institutional application security knowledge leaving your company when they do. On the other hand, if your internal strategic team works with an outsourced managed services partner, that knowledge is already institutional within your vendor and it isn’t lost.
While it’s wise to keep a small team of application security experts in-house, one of the biggest advantages of outsourcing is the additional bandwidth it gives you to do more testing. More testing means increased portfolio coverage, and partnering with an experienced vendor allows you to use your budget more effectively.
If you outsource to an application security testing vendor, you’re not only getting increased bandwidth, but you’re also getting more breadth and depth in the testing services and skills they bring to your organization.
Breadth of service allows you to quickly evolve from traditional automated dynamic application security testing (DAST) to business logic-based penetration testing, to static application security testing (SAST), and then to increasing your platform coverage (including mobile).
Depth allows you to better tailor your testing based on your applications’ risk profile, providing you with more granularity to manage your budget. If a managed services partner takes care of the tactical testing elements of your firm’s software security program, your in-house team can ensure your strategy is properly executed, with the added benefit that they can work more closely with your development teams.
Finally, data should drive policy and strategy decisions. Once your managed services partner gets going on the testing you have outsourced, the in-house team can continually examine the vulnerabilities found and evolve your program accordingly. Expanded application security testing allows your in-house team to deal with vulnerability management effectively by monitoring results and prioritization on your terms.
Freeing up your internal team also allows them to guide other internal stakeholders as part of your software security initiative—determining how your organization’s SSI should mature, reaching out to development teams to discuss good coding practices, and coordinating software security training and policy.
As you can see, managed services has a much broader impact on an organization than just testing a series of apps.
When you bring in a managed services partner, you have access to a pool of experts. Some will have deep expertise in secure architecture, others in business logic testing or threat modeling, and some may be mobile gurus.
Rather than hire full-time specialists in each of these areas, you can simply draw on them as needed. A managed services team works when you need them to, doesn’t require that you pay them benefits, and comes with their own workspace and set of tools. These team members also have the experience and skills to make the most of these tools. Most importantly, the team can work on multiple tests and projects at once. In the end, you only pay for the people and tools you need when you need them.
When you work with a managed services partner, it’s not just about throwing tests at them. It’s about a partnership. That experience should guide your program. It’s a relationship that allows you to take advantage of their software and application security knowledge and experience.
This post was originally published March 3, 2016, and refreshed May 18, 2020.