Beating application security cost cuts in continuously uncertain times

After briefly stirring into life as Covid restrictions were lifted, companies and entire economies are again stepping on the brakes as they brace for yet another “current situation.” At the same time, the pandemic has only increased the dependence on web-based systems in all walks of life and business. With attacks mounting, web security is paramount – but how do you maintain and improve it despite the inevitable cost-cutting?

Beating application security cost cuts in continuously uncertain times

Security is not a luxury

If you’re anything like me, you’re likely sick and tired of seeing phrases like “in these uncertain times” or “due to the current situation” everywhere since the start of Covid. So to start with a quote from Simon Sinek: all times are uncertain. Yes, the global economy is trending downwards; yes, geopolitical instability is the greatest in many decades; and yes, cyberattacks are relentlessly accelerating to take advantage of the chaos. These are no longer uncertain times but the new facts of life, so organizations need to adjust and keep going – which includes not only keeping an eye on their costs but also minimizing security risks.

As we heard from customers at this year’s RSA Conference, enterprises are fully aware of the need for web application security – now the only question is how to do it. Not long ago, AppSec was treated as a nice-to-have that could be put on hold in tougher times, and we certainly saw a lot of that during the Covid slowdown. The current economic downturn, however, is expected to last for years, so waiting it out is not a realistic option. Realizing this, organizations are reframing their approach to application security, looking for ways to stay secure in the long run despite tightening purse strings. For many, that means doing less security while making it cheaper and more effective.

Separating security testing from development is expensive

The idea that security is something you can simply bolt on comes from the world of on-premises networking, where a tight perimeter defense based on firewalls has always been the most secure approach. But there is no way to build a watertight perimeter around a web application, especially as technology stacks and deployment models evolve rapidly and become ever more distributed across cloud environments. While web application firewalls (WAFs) exist and should be part of any AppSec toolbox, their purpose is to block specific attacks and give you time to fix an underlying vulnerability, not to serve as your primary line of defense. The best way to minimize security risk in the long run is to deliver applications with no known vulnerabilities – which means lots and lots of testing.

The days of relying only on external penetration testing for your application security are more or less gone, especially in large organizations that build and run their own software. Typically, internal security teams are charged with running and maintaining various security testing solutions, triaging security issues, and keeping an eye on remediation efforts. All too often, the same teams are also handling network and systems security, with routine application security testing inevitably given a lower priority than day-to-day firefighting.

Keeping security testing separate from development makes it slow and costly both to run tests and to remediate security defects, even assuming that your application security testing tools don’t generate extra work in the form of false positives. Coupled with internal friction and delays from inefficient communication between the developers and security engineers, this can reinforce the misconception that security is an anchor for innovation and cost center for the company. Besides the disturbing fact that this causes development teams to skip some or all security testing when time is tight, it also puts security in the front row when budget-holders deal out the cost cuts.

Making security a sustainable part of software quality

With all this in mind, many organizations now face a dilemma: they can’t afford to keep doing application security the way they used to but also can’t afford to stop doing it and risk a data breach (or worse). The answer is to stop thinking about application security as a step in your workflows and treat it as an inherent aspect of software quality, no less important than performance, functionality, or usability. That way, you can weave it into the development pipeline and automate it for maximum efficiency in terms of workload and cost. 

You might say that sounds a lot like shifting left, and you wouldn’t be far off the mark – except that testing only in development is not enough, especially when it’s all about static analysis that cannot cover runtime vulnerabilities. To truly infuse security testing into the entire software development lifecycle (SDLC), you need to test at all stages from development to production and also do it with fast and permanent remediation in mind. In practice, this makes integrated and fully automated dynamic application security testing (DAST) the only realistic way to cover your entire web attack surface continuously and at a predictable budget.

Simplifying and automating AppSec efforts is also crucial for building DevSecOps processes that eliminate rigid internal roles and divisions across development, security, and operations. In that context, having a reliable security testing platform that feeds directly into development with little to no input from security experts makes it possible to resolve security defects like any other software bug without holding up the entire pipeline. Having and fostering security champions in your development teams is another way to distribute security expertise across the organization and make secure development an inherent part of your workflow rather than a costly speed bump.

5 ways to save money with Invicti

So that’s the theory – but let’s see how centralizing and simplifying your web application security testing with Invicti Enterprise can yield measurable savings. While this is not the only possible approach to streamlining your AppSec efforts, it is one that we’ve seen work in practice for thousands of organizations. Of course, avoiding the potentially crippling costs of a major breach and downtime is the most obvious financial benefit of maintaining a solid security posture, but there are at least five ways that Invicti can help you save money more directly:

  • Less busywork through streamlined workflows: Act on accurate results backed by Proof-Based Scanning to cut down on time wasted on manual verification and triaging. Automate everything you can so your experts only do manual work where it really brings value.
  • Centralized security testing and visibility: Use a DAST-based solution as your AppSec command center and add extra depth with interactive application security testing (IAST) and software composition analysis (SCA) as necessary for a blended approach. Integrate with popular issue trackers and collaboration platforms to combine or replace multiple tools and processes.
  • Rapid time to value: See measurable security improvements in days, not months, while also improving security in the long run thanks to detailed remediation guidance and automatic fix retesting. Easily demonstrate the effectiveness and value of your application security program to the C-suite.
  • Making security a part of routine development work: Run scans, create developer tickets for security defects, and track remediation entirely within your development teams to resolve the vast majority of common vulnerabilities without involving the security team. Eliminate the security bottleneck by spreading the load to your far more numerous development teams.
  • Better value from penetration testing and bug bounty programs: Find and eliminate many typical vulnerabilities in-house at no extra cost so that penetration testers and bounty hunters can spend their expensive time on identifying and reporting more advanced issues that truly require human expertise.

Most importantly, you can sleep soundly with the knowledge that you are improving your security every single day while making the best possible use of your limited resources. In continuously uncertain times, continuous AppSec is your best bet.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.