Application Security Blog | True Positives

Conquering Application Security with a Money-Saving Sidekick

Written by Brian Pavicic | Mar 1, 2023 1:45:00 PM

Rising application security costs are effecting the global market.

The subject of rising application security costs is a hot topic of discussion throughout many businesses in 2023. However, the issue of security cost sustainability is not a new one, it is a longstanding and deep-seated problem that demands to be taken seriously. Up until now we’ve just muttered under our breath and paid the piper. But in the current world economic conditions, what was once a challenging but acceptable cost of doing business has morphed into a rapacious creditor and gluttonous resource hog that can no longer be tolerated.

The smoldering discontent over the burgeoning costs of software security accountability is forcing many businesses to despise the very notion of application security. Businesses are using their resentment to justify cost-cutting tactics without fully assessing the risks those tactics place on their software assets. Inevitably costing themselves more in the long run when ignored issues accumulate and bubble to the surface... as they do.

 

AppSec Decisions - Cut or No?

Cutting down on application security to save money is not a safe or effective method.

The only ones that will avoid the embarrassment and defamation fallout are those who take the proper steps to avoid the risk altogether. This means having the right staff, tools, and approach properly implemented and functioning efficiently. No missed steps. No extra steps. Utilizing effectiveness as a way to safely cut costs without skimping on security.

The application security industry is highly susceptible to shifting dynamics which in turn make it extremely challenging for those without sufficient knowledge to accurately and quickly diagnose and remediate the complex issues that arise. Misdiagnosis, failed remediation and wasted time are added expenses that the business does not need.

Whether you are restructuring in the face of cutbacks, or simply by the necessity of finding a better way, I hope the following tips will help you reduce your learning curve and give you a starting advantage in understanding the application and software security industry landscape. You’re walking into a complex and constantly shifting world.

 

Learn to Spot a Trustworthy and Knowledgeable Source

An ounce of prevention is worth a pound of cure.

It's extremely clear that having the right appsec partner makes life easier. When you compare the price tag of this investment to a costly waste of time or the financial and other possible repercussions of a damaging misstep, you will understand why having a knowledgeable partner beside you is the sweetest spot to be in.

Having a knowledgeable partner is like having a highly skilled software security surgeon on hand. But it’s difficult for most people to differentiate the surgeon from the back-alley hack. It’s imperative to know what makes a good surgeon so you can tell the difference.

 

They Know Their Tools

The first part of any software security partner's job is knowing what tools will be required for the operation and having the ability to wield them with otherworldly precision. The partner understands the history of each tool, the technology, and the use cases it is best implemented on. They know the strengths and limitations of both weapons and foes.

They must also be able to detect, through subtleties in result degradation, when that tool may no longer be the best choice. They’ll also know when to call in “the specialists” - niche tools that are effective in specific situations but inappropriate for broader applications.

 

They Know the Best Course of Action

Application security s complex and constantly shifting.

There is no room for preferential treatment or bias within your partnership. A partner should choose the right tools and approaches for the job and offer a myriad of safeguards and advantages. An unbiased partner, also referred to as 'vendor agnostic', will be better equipped to assess your circumstances and recommend suitably effective solutions. A biased partner will utilize your ignorance to talk you into tools that benefit their pocket, not your security or best interests.

The services and qualities you are looking for include but are not limited to:

  • Use-case and environment-specific consultation
  • Knowledgeable representation of multiple proven vendor solutions
  • A sophisticated understanding of contemporary best practices and criteria for success
  • Experienced and savvy with quality and cost control-focused re-engineering
  • Facilitates and offers advanced support for evaluation, proof of concept, or trial work.
  • Keen awareness of free-to-use and open-source alternative solutions

Where the conditions may include protecting a few or more essential Web or software systems, the first words from your partner's lips should be about making smart tool choices to allow getting the absolute most from automation.

 

There When You Need Them

The right appsec partner anticipates problems and is there when you need them. There is an industry-wide shortage of qualified infosec personnel. As you can imagine, this is causing many negative effects.

All the best tools mean nothing without the hands to run them, and when solid pen testers are out of budget and booked into next year - they’re of little help to you.

The right partner ensures you are never alone or hung out to dry.

In conclusion, while this is just a glimpse into the world that is application and software security, it should be clear by now that to have a fighting chance out there you need a knowledgeable ally who knows your opponent and the tools of engagement.