Security Testing in a Flat World
When I read Tom Friedman write the world is flat, I knew he would love the story unfolding in the world of Application Security Testing.
The IT offshoring story has been told many times. Over 80% of the Fortune 500 leverage offshore IT services by setting up captive centers and/or working with strategic outsourcing partners. Over the years the work that’s sent overseas has expanded from low end work to now very high end work including drug research, fundamental research, product development etc.
Security testing has not been immune to this trend. The early adopters have been the large banks and financial institutions.
Let’s do the numbers
The benefits of offshore security testing are being reaped by both the small and mid-size players and equally by the big name brands the world is familiar with. (Disclosure: Plynt’s parent Paladion has over 150 security staff providing both dedicated security testing teams and project based testing services to over 400 enterprises globally)
Let’s review the typical duties of an application security professional in an enterprise:
- Designing / Reviewing application security architecture
- Development of application threat profile and test cases for security testing
- Conducting baseline reviews, gray box tests, code reviews
- Report and track results with development and management
- Ensure overall compliance with internal and regulatory standards
Back of the envelope calculations lead to these rough estimates:
- Each application security consultant can support 10-15 applications in a year
- CIOs and CSOs of mid size to large enterprises ($200 M - $10 B) have between 200 to ~1000 applications that are deployed in their organizations.
- These application are usually quite diverse including web based, thick client, mobile, internally developed, custom, off the shelf, .NET, J2EE, legacy etc.
- Enterprise application security teams with expertise in multiple industry tool sets, and ability to support different development platforms are 10 to 30 strong.
- Cost per consultant in US/ Western Europe including overheads is between $150K - $300K annually.
To build and sustain a dedicated team to conduct regular and comprehensive security assessments is prohibitively costly. The strategy followed in most cases is to focus on just critical applications and conduct ad-hoc security assessments on them. But new alternative business models and technologies have emerged which are giving CIOs and CSO greater control on greater proportion of the applications at substantially lesser investments.
Necessity is the mother of invention
Thus we are seeing CIOs and CSOs increasingly taking on the application security challenge head on, with the same gusto with which they have (almost) tamed the network security gorilla in the past. Several global financial leaders are already riding the offshore security testing model. They gain significant cost savings by setting up both captive and dedicated offshore application security testing teams. Others are expanding their security testing vendor list to include offshore security testing leaders. This strategy gives them instant access to most of the benefits with limited upfront investments.
Not all security can be offshored
Certain applications and certain sectors that deal with sensitive production data, may not qualify for offshore security testing. Most of the leading vendors will do a quick assessment for you to determine how much of your security testing can be performed offshore. Most vendors will also provide the flexibility of hybrid on-site - offshore models.
5 steps to integrate offshore security testing into your enterprise security strategy
- Identify Security Partner & Offshore Captive Units: Talk to leading offshore security testing players and internal captive units. Consider BOT- Build-Operate-Transfer models. (CIO/CSO activity)
- Quantify goals - Application Inventory, Risk based categorization, Security testing and posture goals for each category (CIO/CSO jointly with Partner/Offshore Unit)
- Quantify the benefits - % that can be tested offshore, cost of setting up, annual savings (Partner / Offshore Unit)
- Proof Of Concept - Three Month Period - Conduct several rounds of testing, types of testing, integrate with existing processes, tighten all processes.
- Monitor-Control-Direct - Leverage Dashboards, metrics, workflows, vulnerability management technologies to integrate / run instep with enterprise security goals, compliance requirements and software development life cycle.
Plynt provides penetration testing and code review services to clients worldwide. If you are interested, please contact us for a quote. We’ll get back to you within one working day.Add yours.closed for this post.
- June 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- May 2008
- April 2008
- March 2008
- January 2008
- December 2007
- November 2007
- April 2007
- March 2007
- February 2007
- January 2007
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
You can read full entries of Palisade Blog using an RSS reader. Use this link —