Software Integrity Blog


How can SMBs maximize AppSec returns on an SMB budget?

How can SMBs maximize AppSec returns on an SMB budget?

Small and medium-size businesses (SMBs) are nonsubsidiary, independent firms that employ fewer than a given number of employees. This number varies from country to country: Gartner defines an SMB as having fewer than 1,000 employees, but the European Union defines an SMB as having fewer than 250 employees.

Managing an SMB budget

Many factors affect the management of any budget. For an SMB, these factors include (but aren’t limited to) these:

  • Innovation
  • Development
  • Sales
  • Marketing
  • Training

Among these considerations, security often takes a back seat. Depending on the industry, security may not be an immediate concern to leadership. In firms where this is true, security usually comes into the picture only once a working product is in place, rather than being built in from the beginning. By the time these firms have a working software product to secure, the security measures they have to apply are more time-consuming and come with a much larger price tag.

Consider this: For an SMB, there may be fewer than a handful of employees that make up the security team. This team is probably working with less than a million-dollar budget to secure their products; again, this depends on the size of the business and the industry. And again, it becomes increasingly difficult to fix issues on a larger scale as the product moves further through the development life cycle. Hence, rather than taking steps to secure a product after the fact, it makes much more sense for SMBs, like businesses of any size, to have security in mind in the earliest stages of innovation.

Get the eBook How to Build an SSI in 5 Steps

Building security in from the beginning

You’re probably thinking, “Yeah, OK. But how?”

Tools such as Code Sight act as a sort of spell-checker for developers. Scanning code inside the IDE, they catch security vulnerabilities as soon as the insecure code is written. This constant monitoring helps developers resolve issues then and there, and it educates them on common errors so they make fewer mistakes in the future. Consequently, the software serves as a strong foundation on which the product is built. Instilling secure coding best practices in your employees is also a high-yield investment.

Another static application security testing (SAST) tool focusing on software quality and security is Coverity static analysis, which reduces risk and lowers overall project cost by identifying critical quality defects and potential security vulnerabilities during development. Coverity also provides accurate and actionable remediation guidance based on patented techniques and decades of research and development—not to mention the analysis of over 10 billion lines of proprietary and open source code.

Building on the foundation

Once the foundation is set, identify highly visible applications or those deemed most important by senior leadership. From there, it’s time to establish ways in which to harden these applications further. Strengthen these business-critical applications by performing architecture risk analysis to identify flaws within system designs or by carrying out penetration testing to eliminate vulnerabilities in server-side applications and APIs.

As has been the concern throughout, budget is a limiting factor as to how much any firm can do in a given year. However, you have some options. You can choose either to harden a single application by carrying out a series of security measures to keep it as secure as possible, or to distribute the budget among several applications and work through them at the same pace.

Considering the cloud

Many SMBs and enterprises alike are moving to the cloud. A key driver of this shift is cost savings. Owning and maintaining data centers can get very expensive very quickly. The cloud eliminates this issue.

When you’re shifting applications to the cloud, it’s important to understand the shared security model that most cloud operators work on. An SMB must take precautions to follow best practices when it comes to cloud configurations. There is a rise in the number of data breaches due to misconfigurations of cloud services. So if an SMB moves to the cloud, it must hire professionals to perform a review of the cloud environment, in addition to testing the applications hosted there. Be sure to cover all your bases.

Summing it up

Prevention is only one part of the software security journey. You must also consider detection and response, which are of equal importance. If a breach does occur, it is essential to catch it early and respond effectively. There must be mechanisms in place to make this happen, such as logging and monitoring to help you detect any unusual activity in your software. Let’s look at a few examples.

A San Francisco–based company, OneLogin, had a breach at 2 a.m. that was stopped by 9 a.m. Customer data was compromised during this time, and the hackers may have had the ability to decrypt encrypted data. This breach is an example of an attack that was discovered and stopped within a few hours.

Compare this case with Equifax, which discovered and fixed a security hole after a couple of months (from mid-May to the end of July).

Even worse was when a popular commenting system, Disqus, had a data breach in 2012, and the company came to know about it only in October 2017, when an independent security researcher notified them. This example shows that there is a vast difference in how detection and response is handled across the industry.

An organization must carry out proper planning to mature as it grows, and planning for the future is as important as planning for the now. Any company must have a roadmap in place as to how it wants its security program to mature. Make sure your SMB doesn’t waste any budget on something that won’t help you in the long run. Considering the limited budget, each step you take toward securing your applications must be taken in the right direction.

Even though an SMB has a limited security budget, if spent properly, it should still be more than enough to prevent a data breach, now and in the future.

Get the eBook How to Build an SSI in 5 Steps