Measuring the Value of Remote Application Security Testing

balaji
By balaji

February 13, 2009

It sometimes takes a major application security breach to get us fired up to test our applications. The recent breach at Hannaford Bros. is a good example where attackers managed to steal up to 4.2 million credit card and debit card numbers. It pays to be proactive when doing application security testing. Measuring the value of application and network security testing is the first step as what is measured can be improved. [Disclosure: Paladion/Plynt provides remote application security testing.]

It sometimes takes a major application security breach to get us fired up to test our applications. The recent breach at Hannaford Bros. is a good example where attackers managed to steal up to 4.2 million credit card and debit card numbers. It pays to be proactive when doing application security testing. Measuring the value of application and network security testing is the first step as what is measured can be improved. [Disclosure: Paladion/Plynt provides remote application security testing.]

I asked our clients what factors they weigh in when they measure the value of remote application security testing. Here's what I heard:

  1. Avoid the Financial Cost Associated to Successful Breach
  2. Reduce Downtime
  3. Reduce Operational Burden
  4. Shorten Time to Launch
  5. Leverage Independent Verification Services
  6. Augment Security Resources and Expertise
  7. Avoid being in the headlines
  8. Establish Trust and Provide Assurance to your Customer
  9. Pass Regulatory Audits
  1. Avoid the Financial Cost Associated to Successful Breach. The potential cost from web application attacks add up very quickly. When you consider the expense related to forensic analysis of breached systems, increased call center activity from upset customers, potential legal fees, hefty regulatory fines, distribution of data breach disclosure notices to all customers, it's no surprise that news reports often peg the cost of incidents between $20 million to $4.5 billion. Forrester estimates that the cost of a security breach is between $90 and $305 per compromised record.
  2. Reduce Downtime. Proactive testing can reduce the cost due to downtime from breaches. Denial-of-service attacks, crashed applications, reduced performance, loss of intellectual property to competitors add to the costs of a breach indirectly.
  3. Reduce Operational Burden. Remote application testing can lessen the burden enterprises face when securing their applications. With no software or hardware to install and learn, developers and security staff are freed from complex security testing. Enterprises see improved productivity and scalability.
  4. Shorten Time to Launch. Remote Application Security testing can typically be done globally within days or hours if needed. With typical on-demand application security testing services, you can easily integrate application security testing with your testing schedule and overall requirements. This means faster and more effective development, testing and deployment which save enterprises of all sizes both time and money.
  5. Leverage Independent Verification Services. Most remote application security providers can offer independent 3rd party validation, verification and certification services. That makes sure results from in-house effort are complete. That also validate that the code from an outsourced vendor is free of any vulnerabilities and backdoors.
  6. Augment Security Resources and Expertise. Small, medium and even some large enterprises often lack seasoned application security expertise in-house. Using remote application security testing enables enterprises to augment their development and security team with industry-leading security expertise. They can scale their application testing on an as-needed basis without large capital or operational investments.
  7. Avoid being in the headlines. What's that worth – priceless. Think about "Brand Risk", is anything else more valuable?
  8. Establish Trust and Provide Assurance to your Customer. Often customers will ask, how are you protecting my data. Most will ask for proof that the applications are being tested on a regular basis. Remote Application Security testing can help you meet this need in a very cost effective way.
  9. Pass Regulatory Audits. Test earlier and more often is the new mantra for many enterprises. By leveraging economies of scale to bring down cost and defined mature processes and procedures, remote application security testing can provide the way to meet your organization's needs and objectives in securing your applications. In fact, many forget that compliance mandates like Payment Card Industry (PCI), Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and Gramm-Leach-Bliley (GLBA), all require demonstrable, verifiable security, especially where most of today's risk exists - at the Web application level.

Many often find the only way to succeed against Web application attacks is to build secure and sustainable applications from the start. However, many enterprises find they have more Web applications and vulnerabilities than security professionals and or tools to test and remedy them - especially when in reality application vulnerability testing doesn't occur until after an application has been sent to production. This leads to applications being very susceptible to attack and increases the unacceptable risk of applications failing regulatory audits.

The best way to stay ahead of the curve is 1) do a risk analysis of applications to find the most critical ones 2) measure overall value of security testing these critical applications and create an action plan to address considering all your constraints that you may have. The benefits listed above are a starting point for measuring the value of remote application security testing.


Tags: Features

About

balaji

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset