In May 2020, a smartphone caller identification app reported a security breach in which the personal data of more than 47.5 million users was exposed. This was only one of the many instances that left data exposed and caused vulnerabilities in 2020. From healthcare institutions to tech, software, social media and meal delivery companies, cybercriminals have targeted every industry, stealing billions of records.
In contrast to common perception, app security testing doesn’t always have to be a heavy investment
At the same time, reduced IT budgets meant that chief information security officers (CISOs) had to cut costs and compromise on risk management programs. One area of focused budget cuts was application security testing, an expensive but imperative part of the process.
“Security testing helps identify vulnerabilities early on in the application development process,” says Mark Horvath, Senior Director Analyst, Gartner. “However, CISOs find it difficult to justify the costs of application security testing. Compromising on this step can have serious implications, and it is important to not skip it.”
In contrast to common perception, app security testing doesn’t always have to be a heavy investment. CISOs can consider these seven tips to conduct security testing effectively without putting a strain on their budgets.
Include security experts in the architectural review at the start of development
Early testing minimizes the cost of fixing software defects. Including security experts at an early stage of development helps identify the gaps in security and remediate the risks. Organizations can avoid remodeling and remediation efforts if threats are mitigated at the very beginning.
Threat modeling is an expensive exercise, but in many cases can be done internally with free downloadable software. This is not restricted to new applications and can be extended to existing software, too. Especially when existing software is being repurposed or exposed as web services, a structured assessment of the risks and scenarios where an application can be attacked offers the opportunity to create test cases.
Select affordable testing options when budgets are reduced
In scenarios where budget constraints are a big hurdle to security testing, CISOs can benefit from affordable and open-source options. While these alternatives are often incomplete in terms of language, framework and vulnerability coverage, and functionality, with the appropriate customization and plug-ins, they can enable an effective application security program with minimal resources.
The free software doesn’t come with enterprise functionality such as dashboards, comprehensive reporting, distributed scanning sensors or plug-ins to integrate into the software development life cycle. However, internal experts can fill this gap by writing their own scripts, or can operate the tools manually where needed.
Use security testing services to jump-start your application security program
Involve developers in the testing process so that they can produce high-quality code once they understand the possible threats. “Assign one of your developers to shadow the pentester or application security testing service, or have your developer manage the program,” says Horvath.
Gartner research suggests that developers in this kind of program are prone to make significantly fewer security errors. These developers can also act as subject matter experts or security champions and identify issues more quickly for the team in the future.
In addition to involving developers in testing, CISOs can also introduce numerous “ethical hacking” courses available online to developers. This can enable developers to understand the world view on securing applications and how attackers operate.
Reevaluate your mix of security techniques on a periodic basis
As the program matures, and as new styles of coding and new technologies are introduced, vulnerabilities evolve. CISOs need to plan for this by scheduling periodic evaluations of the security techniques in practice.
For example, “If you have an application that is mostly in maintenance mode and requires mostly cosmetic changes, move resources from code scanning into pentest,” Horvath says.
Periodic testing is wrongly perceived as a cost-draining process. However, semiannual or quarterly reevaluation of priorities can optimize resources and ensure that development and security teams are familiar with all the tools.
Rotate testers and apply time limits to prevent overfamiliarity and burnout
Gartner research suggests that the number of threats found by a security tester reduces gradually over a period of five weeks and significantly declines after eight weeks of running a code. This doesn’t mean that the threats have been reduced. Because the tester is viewing the code multiple times, fatigue sets in. This can be a problem with critical sections of code or software, especially when the full functionality of the code may not always be tested or exercised.
Introducing code testing to a fresh set of eyes can help identify vulnerabilities that someone who has been working on the software for too long may have overlooked.
Avoid wasting paid testing hours
Underpreparedness is not new to the testing environment. Often when consultants arrive to begin testing, they are not fully briefed or prepared for the kinds of tests that have been requested. This causes delays in testing, less accurate results, and lower productivity for development teams and pentesters.
Prepare for the testing ahead of time by meeting with vendors and discussing the types and scale of testing you want to conduct, and preselect areas of code, infrastructure and processes you identify as gaps in your overall testing coverage. Use external testers to find business logic errors instead of the more “low-hanging fruit” types of issues that your internal testing can uncover.
Be flexible when scheduling opportunities for testing
Rolling out testing changes to a small population is a common practice within DevOps organizations. As these tests are performed in a controlled environment, it reduces the risks of exposing the entire organization to threats. CISOs can plan for canary or A/B testing during breaks in normal business hours, such as weekends and holidays. Another option is to set up parallel environments for security testing.
“Issues that appear as security vulnerabilities are often a product of poor code development. By using these security testing tips, organizations can create a robust framework for their applications’ security,” says Horvath.