#HowTo Create a Budget-Friendly Security Testing Program

Written by

From healthcare institutions to tech, software, social media and meal delivery companies, cyber-criminals have targeted every industry, stealing billions of records and causing millions in damages. At the same time, reduced IT budgets meant that CISOs are having to cut costs and compromise on risk management programs.

One area of focused budget cuts is application security testing, an expensive but imperative part of the process. Security testing identifies vulnerabilities early on in the application development process, yet CISOs find it difficult to justify the costs of application security testing. Compromising on this step can have serious implications, and it is important to not skip it. 

One of the key challenges organizations today are facing is that security testing is brought in too late in the development cycle, when changes are expensive and have a large impact on project timelines. Leaving testing so close to the launch phase not only causes delayed deadlines but also forces risk acceptances.

When testing is brought to the front of the project timeline, organizations often fail to transfer the security knowledge from the testers to the developers, which means the same problems crop up multiple times in the development cycle.

Valuable security testing results also fall off as the testers become overfamiliar with the code which increases the chances of vulnerabilities being glossed over. With that being said, app security testing doesn’t always have to be a heavy investment or time commitment. Consider these tips to conduct security testing effectively without putting a strain on their budgets and resources.

Include security experts in the architectural review at the start of software development

Early testing minimizes the cost of fixing software defects. Discovering an architectural flaw late in the testing phase leaves project managers only a few, expensive options: mitigation, risk acceptance, or redesign. By involving security experts at an early stage of development organizations can identify the gaps and remediate the risks.

Threat modelling is the foundation of an application security program. Importantly, from a budgeting standpoint, a threat modelling exercise can be inexpensive and, in many cases, done internally with free downloadable software.

This is not restricted to new applications and can be extended to existing software, too. Especially when existing software is being repurposed or exposed as web services, a structured assessment of the risks and scenarios where an application can be attacked offers the opportunity to create test cases.

Affordable testing options when budgets are reduced

In scenarios where budget constraints are a big hurdle to security testing, CISOs can benefit from affordable and open-source options. While these alternatives are often incomplete in terms of vulnerability coverage and functionality, with the appropriate customization and plug-ins, they can enable an effective application security program with minimal resources.

The free software doesn’t come with enterprise functionality such as dashboards, comprehensive reporting, distributed scanning sensors or plug-ins to integrate into the software development life cycle. However, internal experts can fill this gap by writing their own scripts and can operate the tools manually where needed.

Use security testing services to jump-start your application security program

The strategy here is to assign one of your developers to shadow the pen tester during the application security testing phase of development.

By involving developers (or QA testers) in the security testing, they begin to get an overview of security and testing issues and a view of the kinds of mistakes their team makes. They also gain immediate tactical information about how to identify, avoid and remediate these same mistakes in other parts of the codebase. These developers can also act as subject matter experts or security champions and identify issues more quickly for the team in the future.

Although this can result in a significant increase in workload, which will need to be balanced out against other priorities, it will provide a great deal of payback. In almost every development organization there are people who have a natural interest in security, and these kinds of activities can help managers identify and train them, thus growing security into an ongoing team contribution.

Re-evaluate your mix of security techniques on a periodic basis

As the program matures, and as new styles of coding and new technologies are introduced, vulnerabilities will naturally evolve. CISOs need to plan for this by scheduling periodic evaluations of the security techniques in practice. For example, if you have an application that is mostly in maintenance mode and requires mostly cosmetic changes, move resources from code scanning into pen test.

Periodic testing is wrongly perceived as a cost-draining process. However, semi-annual or quarterly revaluation of priorities can optimize resources and ensure that development and security teams are familiar with all the tools.

Rotate testers and apply time limits to prevent overfamiliarity and burnout

The number of threats found by a security tester reduces gradually over a period of five weeks and significantly declines after eight weeks of running a code. This is due, in part, to fatigue — after looking at the same code for some time, the tester becomes used to seeing it and less likely to spot anything unordinary. This can be a problem when looking at critical sections of code or software when the full functionality of the code cannot be tested or exercised.

Introducing code testing to a fresh set of eyes can help identify vulnerabilities that someone who has been working on the software for too long may have overlooked.

Avoid wasting paid testing hours

Under-preparedness is not new to the testing environment. Often when consultants arrive to begin testing, they are not fully briefed or prepared for the kinds of tests that have been requested. This causes delays in testing, less accurate results, and lower productivity for development teams and pen testers.

Time that should be spent testing becomes time spent setting up the environment, taking shortcuts, or running fewer or shorter tests to stay on schedule. Prepare for the testing ahead of time by meeting with vendors and discussing the types and scale of testing you want to conduct, and preselect areas of code, infrastructure and processes you identify as gaps in your overall testing coverage.

Be flexible when scheduling opportunities for testing

Rolling out testing changes to a small population is a common practice within DevOps organizations, as these tests are performed in a controlled environment, it reduces the risks of exposing the entire organization to threats.

CISOs can plan for canary or A/B testing during breaks in normal business hours, such as weekends and holidays. Another option is to set up parallel environments for security testing.

Bonus tip – Showcase the value of security testing

Do not miss the opportunity to communicate the value that security testing brings to the organization. By starting with affordable options, security leaders can demonstrate the value of application security testing, increase the internal knowledge, and grow their application security budget in time.

What’s hot on Infosecurity Magazine?