In May 2020, a smartphone caller identification app reported a security breach in which the personal data of more than 47.5 million users was exposed. This was only one of the many instances that left data exposed and caused vulnerabilities in 2020. From healthcare institutions to tech, software, social media and meal delivery companies, cybercriminals have targeted every industry, stealing billions of records.
“ In contrast to common perception, app security testing doesn’t always have to be a heavy investment”
At the same time, reduced IT budgets meant that chief information security officers (CISOs) had to cut costs and compromise on risk management programs. One area of focused budget cuts was application security testing, an expensive but imperative part of the process.
Read more: How Security and Risk Leaders Can Prepare for Reduced Budgets
“Security testing helps identify vulnerabilities early on in the application development process,” says Mark Horvath, Senior Director Analyst, Gartner. “However, CISOs find it difficult to justify the costs of application security testing. Compromising on this step can have serious implications, and it is important to not skip it.”
In contrast to common perception, app security testing doesn’t always have to be a heavy investment. CISOs can consider these seven tips to conduct security testing effectively without putting a strain on their budgets.
Include security experts in the architectural review at the start of development
Early testing minimizes the cost of fixing software defects. Including security experts at an early stage of development helps identify the gaps in security and remediate the risks. Organizations can avoid remodeling and remediation efforts if threats are mitigated at the very beginning.
Threat modeling is an expensive exercise, but in many cases can be done internally with free downloadable software. This is not restricted to new applications and can be extended to existing software, too. Especially when existing software is being repurposed or exposed as web services, a structured assessment of the risks and scenarios where an application can be attacked offers the opportunity to create test cases.
Read more: Gartner Top 9 Security and Risk Trends for 2020
Select affordable testing options when budgets are reduced
In scenarios where budget constraints are a big hurdle to security testing, CISOs can benefit from affordable and open-source options. While these alternatives are often incomplete in terms of language, framework and vulnerability coverage, and functionality, with the appropriate customization and plug-ins, they can enable an effective application security program with minimal resources.
The free software doesn’t come with enterprise functionality such as dashboards, comprehensive reporting, distributed scanning sensors or plug-ins to integrate into the software development life cycle. However, internal experts can fill this gap by writing their own scripts, or can operate the tools manually where needed.
Use security testing services to jump-start your application security program
Involve developers in the testing process so that they can produce high-quality code once they understand the possible threats. “Assign one of your developers to shadow the pentester or application security testing service, or have your developer manage the program,” says Horvath.
Gartner research suggests that developers in this kind of program are prone to make significantly fewer security errors. These developers can also act as subject matter experts or security champions and identify issues more quickly for the team in the future.
In addition to involving developers in testing, CISOs can also introduce numerous “ethical hacking” courses available online to developers. This can enable developers to understand the world view on securing applications and how attackers operate.