use the force! web app testing services are your security force multiplier
TRANSCRIPT
Use the force! Web app testing services are your security force multiplier
Scott Crawford, Research Director, 451 ResearchBrian Mizelle, Vice President of Operations, Cigital
Does security management sometimes make you feel…
2
Your concerns are sharedIn our 2015 research of top infosec concerns, the adversary, of course, is #1:
But it’s not as if regulators give organizations a choice about caring…• Compliance and related concerns take up spots 2-6:
3Source: 451 Research Q2 2015 Information Security Quarterly Advisory Report
52.1%
Hackers/crackers with malicious intent
38.4%38.0%
34.0%
31.4%30.5
%
Industry-specific compliance (e.g. PCI, HIPAA)
Compliance requirements (e.g. due care)
Internal audit deficiencies based on findingsComplying with external customer/client
requirements (due diligence exercises) Government regulatory /legal
compliance (e.g. GLBA, FISMA)
Compounding the challengeIn Q3, we asked about a few additional areas• The adversary and compliance are still the top concerns (#1 and
#3)…• …but organizational roadblocks show up at #2,
• #4,
• and #6
4
Organizational politics/Lack of
attention to information security
Staffinginformation security
Lack of budget
(98 respondents)
Source: 451 Research Q3 2015 Information Security Quarterly Advisory Report (n=863)
(69 respondents)
(44 respondents)
Protecting Web applicationsThe lifeblood of a modern business…and attackers know it• Verizon 2015 DBIR:
• Most common threat to Web apps: Organized crime• Financial gain the most common motive• ¾ of all Web app compromises are opportunistic
• Finding and resolving Web app vulnerabilities must thus be a primary defense
• And yet...organizations struggle with Web app security testing:
5
Top 5 reasons for switching DAST/SAST
vendors:Source: 451 Research Voice of the
Enterprise: Information Security, Q3 2015
Lack of features/functionality
14.8%
12.3%
9.9%
8.6%
6.2%
Cost
Solution complexity
Technical support issues
Usability issues
In short: Organizations face long odds • Opportunistic adversaries that
thrive on Web app exposures• Compliance requirements for
securing those apps that must be met
• Organizational constraints on support
• Expensive security assessment tools requiring specific expertise
• Difficulty finding and retaining that (equally expensive) expertise
• Managing that investment in people and technology over time
• Earning the confidence of the business
6
Use the force!Managed services for Web app security testing are a force multiplier
• Expertise on demand
• Offload the cost and management burden of challenging tools
• Better management for today…and better preparation for tomorrow
• Is your strategy ready for the growing impact of DevOps and CI?
7
The expertise you need• Security experience is hard
enough to find and retain…• …and within the available talent
pool, Web app security requires a specific skillset
• Managed Web app testing services provide:
• Reliable expertise• On demand• As much – or as little – as
needed• A solution for “crunch” times of
high demand• Compliance windows• High-demand seasonal
preparation
8
A more predictable investment• Web app testing tools don’t
come cheap…• …but purchasing a tool is only
the beginning• Deployment costs• Maintenance• Orientation to use• And when something better or
more useful comes along?
9
• Managed web app testing services field this investment for you
• The right tool for the right job• Analysts experienced in their use• Predictable expense, more evenly distributed over time
You don’t need to go it aloneWeb app security testing services are your force multiplier• …with Business Benefits:• Known and predictable costs …vs:
• Capital and operational expenses of tools• Rising costs of finding, retaining (and
losing) security expertise• Known and predictable performance
• Better planning & fewer gaps in testing obligations
• Consistent coverage• Better management today…and better
preparation for tomorrow10
Feel the Full Power of the Force – Test Type
Dynamic Application
Security Testing
Static Application Security Testing
Business Logic Testing
• Each test type covers different areas of application security
• Some vendors are locked into a smaller subset because of their testing tools
• You want to ensure that your Managed Services provider:• Offers options• Create integrated results
Single tool automated security scanning
Automated testing augmented with multi-tool manual testing
Dep
th o
f Tes
t
Feel the Full Power of the Force – Test Depth
Extends to business logic, exploiting app functionality
Risk
Sometimes You Need a Bounty Hunter
• For high risk applications, you will want to go deeper than an automated testing
• Multi-step attacks, social engineering attacks, etc.
• Requires a manual process by experienced security experts
• Multiple tools selected for each situation • Ability to integrate results into a
cohesive, actionable report
1. Schedule test from online portal
2. Test executed as scheduled
3. Results reviewed by Cigital security expert
4. View report online, receive call out from security expert (Cigital)
Scalable platform to address changing
assessment workload
Maximum Functionality, Minimal Friction
See Things With the Force You Will
• On-demand cloud-based platform for testing applications• Online portal for managing tests and viewing results
• Schedule tests and set the desired depth of testing• Make modifications as business requirements and evolving threats
dictate • Check the status of tests• Download detailed test results• Report across the application portfolio
False Positives Lead to Anger…
..Anger leads to Hate, and Hate leads to:• Developers ignoring large piles of findings• Nothing getting fixed• More technical debt for the organization
• Look for providers who provide guidance to fix identified bugs• Get guidance from the security expert who reviews the test• Have access to a remediation helpdesk for additional guidance
• Direct interaction with the responsible team• Turns testing results into actionable work• Shortens time to fix (productivity)• Raises their security knowledge through
technology transfer
Guidance and Knowledge Transfer
Resist the Power of the Dark Side
Every test is reviewed by a Cigital Security Expert• Reviews findings to significantly reduce false positives
• Increases test fidelity• Reduces response time for your security resources
• Creates remediation guidance• How to fix what is found• Increases productivity, reduces time to fix
• Holds Call-out with your team to discuss results, remediation guidance
The Cigital Managed Services AST Solution
• Cigital uses the widest breadth of tests• Not limited by a single vendor portfolio• Uses the right tool for the job
• It’s not the wrench, it is who turns it• Highly experienced, well trained staff• Proven processes and policies based on thousands of tests• Removal of false positives by review of security expert
• Emphasis on the fix• Eliminating false positives allows focus on real problems• Remediation guidance to guide your staff to resolution
Why Cigital?
Cigital Application Security Testing Elastic capacity to address peaks and valleys in testing demand
You can redefine the type, depth of testing to match testing to every application risk profile in your portfolio
You have full visibility and control of your testing through the Cigital Portal – schedule, see results
Cigital security experts review the results of every test to eliminate false positives, increasing your team’s productivity.
With each test, you receive actionable remediation guidance to help you fix and prevent the discovered vulnerabilities
Cigital will help you build the testing plan that matches your budget, portfolio size, and risk.
Questions?
Scott Crawford, Research Director, 451 ResearchBrian Mizelle, Vice President of Operations, Cigital
