M&E Journal: Break Your App. Do It Again


By Ted Harrington, Executive Partner, Independent Security Evaluators (ISE) –

In karate, earning a black belt isn’t the end of your journey; it is just the beginning. So too is it with application security: once you complete a security assessment, you should be proud of the work you’ve done to get to this point! But you aren’t finished — in fact, you’ve only just begun; now you need to make sure that you keep pace with the bad guys, in a relentless march towards security excellence.

Security excellence is a never-ending loop. To achieve it, you must repeatedly find and fix flaws. If you do, you will become better tomorrow than you are today.application security?

The cadence trap
You need to do it sooner. Much sooner.

Many leaders fall into a common pitfall known as “the cadence trap.” The idea of the cadence trap is simple: leaders often consider security only at some arbitrary intervals that are not well suited to how quickly things actually change.

How often have you uttered (or heard others utter) the phrase “annual penetration test”? Putting aside for a moment the arguments I’ve made in previous editions of this Journal that you probably shouldn’t be doing a penetration test (you most likely should be doing security assessments), let’s talk about the idea of “annual.”

Think back to one year ago today. What did your technology look like? What did your team look like? What was happening in the industry? What was going on in the world?

Things were pretty different right? So why would it make sense to wait so long to reconsider security, with that much change going on? And this doesn’t even consider how the attackers are changing!

Many companies want to consider application security only on an annual basis, as if it is akin to an annual physical exam with a doctor. Security should be considered more like wellness, however — something that you do every day in the choices you make about nutrition, exercise and lifestyle. It should be reevaluated frequently, as the conditions in your health change. As you get stronger, leaner, faster you should reassess your fitness regimen in order to address these changes so you can keep getting better.

Worse yet, many companies even think about security only every two years! If a one year cadence is too slow, a two-year cadence is borderline negligent.

So, what is the appropriate cadence to revisit application security?

For most companies, the appropriate cadence to perform a security assessment is every three to six months. (There are cases where more frequent would be required, or less frequent is acceptable, but those edge cases are beyond the scope of this article). There are a few reasons for this cadence:

–It is highly effective at quickly addressing changes in attack surface.
–It significantly reduces per-assessment cost.
–It avoids unnecessary waste.
–It enables your security assessment partner to be more in tune with your needs.

Do more, spend less
“Security is expensive!”

If you are like most technology leaders, that is likely one of the primary problem statements you might identify when discussing the challenges you face around application security. But here is one of those magical moments where you can do it in ways that are both better and cheaper!

Sounds too good to be true right?

Believe it or not, it’s actually less expensive to do security more frequently. The reason for this is simple: it streamlines the effort. Keep in mind that security assessors are human beings; as with all things in life, we all have learning curves. Think about any project that you have mastered; let’s say for example a particular financial report that you prepare and present to the board of directors.

The first time that you prepare this report, it takes a ramp up period to understand the key fundamentals: the goal, the audience, what the audience wants to understand, which questions matter and must be answered, in what context do the numbers have relevance, how do the numbers compare to prior time periods, and so on.

Then you invest the time to actually collect the information, synthesize it into key data points, prepare the charts and graphs, create the slide deck, practice the presentation several times, deliver the presentation, field questions, then hunt down answers to any follow up questions that came out of the presentation.

Now consider your current proficiency; how much more efficient are you at all of these steps after having completed this entire process many times? Much, much faster, right?

That is called efficiency gain.

In the context of application security, efficiency gain means a few things:

–You’ve acquired the baseline knowledge about how the system works, the business surrounding the system, and the underlying assumptions that result.
–You understand the development roadmap and can identify which of those changes will impact the threat model, attack surfaces, and crucial security functionality.
–You understand how to best and most efficiently collaborate between security assessor and client.

Taken together, these factors mean that a properly performed reassessment will require less effort to deliver equally valuable outcomes as the initial assessment. Less effort means lower cost.

To put a number on this efficiency gain, we recently analyzed our own data from roughly 10 years of application security assessments. We found the number to be quite startling: 40 percent! On average, a reassessment requires only 40 percent of the effort of an initial assessment! That’s a massively compelling efficiency gain! As you can see, the economics become very, very compelling for doing security more frequently.

The knowledge cliff
However, there’s a catch.

These economic benefits are only delivered if on the appropriate cadence. After six months has passed since the last assessment, the accumulated knowledge about the system, the business, and the collaboration model begin to dissipate. Not immediately overnight, but a steady and sharp decline begins to set in after six months.

This is called the knowledge cliff.

Think back to any project you currently do with great efficiency, perhaps the financial reporting example discussed earlier. You are in a rhythm, know where all of the information can be found. You intuitively navigate through the various tools and databases to help you develop the report. Your presentation skills are honed. You have all of the answers or know where to find them. Now imagine that you will no longer do this style of reporting. If it picked back up soon, you’d have no issue getting back into the swing of things. But eventually, your familiarity with the process, tools, and methods would diminish.

Now imagine that a long period of time later you had to pick this back up. How would you do?

Think of a recurring project you did two years ago, but no longer do now; if you had to do it right now, today, would you be able to do it as efficiently as you used to back then? Probably not.

What would be different between then and now?

Efficiency. The only difference is you lost the efficiency. That’s what happens when reassessment cadence is too long: it requires that you reinvest in a learning curve you’ve already undertaken. You literally must relearn multiple times how to be efficient at the same thing.

That is wasteful.

If you are like most technology leaders, you abhor waste. Waste incurs expense, which, by definition, is not a good use of resources. It’s as simple as this: security reassessments performed on a proper cadence avoid waste. Without realizing it, if you only consider security on an annual basis — or worse, every two years — you are unwittingly paying, over and over and over, for learning curve. Change to a more appropriate assessment cadence of every three to six months, and you’ll be able to divert those resources to better uses.

Getting to black belt is a hard, but worthy, effort and one that launches you to higher levels of achievement. Hopefully you feel the same way about your pursuit of security excellence, and now have a few insights about how to act on a better approach to the never-ending loop that is application security. This is precisely how the companies that are best at security become better tomorrow than they are today.

It’s a long road, but at the end lies a beautiful destination: security excellence.


Click here to translate this article
Click here to download the complete .PDF version of this article
Click here to download the entire Spring/Summer 2018 M&E Journal