Security Testing in a Flat World

By Paladion

May 22, 2008

When I read Tom Friedman write the world is flat, I knew he would love the story unfolding in the world of Application Security Testing.
The IT offshoring story has been told many times. Over 80% of the Fortune 500 leverage offshore IT services by setting up captive centers and/or working with strategic outsourcing partners. Over the years the work that’s sent overseas has expanded from low end work to now very high end work including drug research, fundamental research, product development etc.
Security testing has not been immune to this trend. The early adopters have been the large banks and financial institutions.
Let’s do the numbers
The benefits of offshore security testing are being reaped by both the small and mid-size players and equally by the big name brands the world is familiar with. (Disclosure: Plynt’s parent Paladion has over 150 security staff providing both dedicated security testing teams and project based testing services to over 400 enterprises globally)
Let’s review the typical duties of an application security professional in an enterprise:

  • Designing / Reviewing application security architecture
  • Development of application threat profile and test cases for security testing
  • Conducting baseline reviews, gray box tests, code reviews
  • Report and track results with development and management
  • Ensure overall compliance with internal and regulatory standards

Back of the envelope calculations lead to these rough estimates:

  • Each application security consultant can support 10-15 applications in a year
  • CIOs and CSOs of mid size to large enterprises ($200 M - $10 B) have between 200 to ~1000 applications that are deployed in their organizations.
  • These application are usually quite diverse including web based, thick client, mobile, internally developed, custom, off the shelf, .NET, J2EE, legacy etc.
  • Enterprise application security teams with expertise in multiple industry tool sets, and ability to support different development platforms are 10 to 30 strong.
  • Cost per consultant in US/ Western Europe including overheads is between $150K - $300K annually.

To build and sustain a dedicated team to conduct regular and comprehensive security assessments is prohibitively costly. The strategy followed in most cases is to focus on just critical applications and conduct ad-hoc security assessments on them. But new alternative business models and technologies have emerged which are giving CIOs and CSO greater control on greater proportion of the applications at substantially lesser investments.
Necessity is the mother of invention
Thus we are seeing CIOs and CSOs increasingly taking on the application security challenge head on, with the same gusto with which they have (almost) tamed the network security gorilla in the past. Several global financial leaders are already riding the offshore security testing model. They gain significant cost savings by setting up both captive and dedicated offshore application security testing teams. Others are expanding their security testing vendor list to include offshore security testing leaders. This strategy gives them instant access to most of the benefits with limited upfront investments.

Not all security can be offshored

Certain applications and certain sectors that deal with sensitive production data, may not qualify for offshore security testing. Most of the leading vendors will do a quick assessment for you to determine how much of your security testing can be performed offshore. Most vendors will also provide the flexibility of hybrid on-site - offshore models.
5 steps to integrate offshore security testing into your enterprise security strategy

  1. Identify Security Partner & Offshore Captive Units: Talk to leading offshore security testing players and internal captive units. Consider BOT- Build-Operate-Transfer models. (CIO/CSO activity)
  2. Quantify goals - Application Inventory, Risk based categorization, Security testing and posture goals for each category (CIO/CSO jointly with Partner/Offshore Unit)
  3. Quantify the benefits - % that can be tested offshore, cost of setting up, annual savings (Partner / Offshore Unit)
  4. Proof Of Concept - Three Month Period - Conduct several rounds of testing, types of testing, integrate with existing processes, tighten all processes.
  5. Monitor-Control-Direct - Leverage Dashboards, metrics, workflows, vulnerability management technologies to integrate / run instep with enterprise security goals, compliance requirements and software development life cycle.

Tags: Penetration testing, Uncategorized, banks, financial industry, offshoring, outsourcing, security testing