Why WAFs Are Not Enough
Learn about what WAFs are and why companies use them and why they’re not enough to protect your organization, and what else you can use.
Learn more about the ways penetration testing can reduce your overall security costs and how to propose penetration testing to your team.
TL;DR:
Security isn’t cheap. Well, quality security isn’t anyway. And then you think of all the individual list items in your budget like threat modelling, infrastructure support, encryption tooling, incident response, security testing, anti-phishing software, secure code training, firewalls, authentication, remediation…. The list goes on and on. Seemingly endlessly. One way to simplify your security operations is to opt for services that support your business in multiple places - like penetration testing. Discover the 5 ways penetration testing reduces overall security costs to streamline your security operations.
Used to give you an overview of your application’s security posture, penetration testing is a manual security exercise where ethical, white-hat hackers attempt to break into your application. Penetration testers have the goal of finding as many known security vulnerabilities in your system. From there, they’ll provide detailed replication and remediation suggestions so that your developers can patch any known risks. It’s recommended that penetration tests are conducted in a separate testing or staging environment, to avoid any risks to your production environment.
Companies usually spend between 7-10% of their IT budgets on security requirements. Of this, the things that get priority for spending include:
Security budget can be hard to ask for as it’s hard to measure the success of. Unlike when sales teams can celebrate once they’ve passed their stretch quota, security doesn't have a milestone of success. In the security world, no news is good news. No breaches mean that the team has done a good job at keeping things secure. But without a momentous, celebratory event, it’s hard to connect that security is a good investment and prove that penetration testing reduces security costs.
It can also be hard for companies to prioritize security expenses over growth expenses like sales and marketing activities. This is especially true for small businesses that don’t have a lot of budget to begin with, or for firms who haven’t yet had delayed sales processes because of a vendor needing proof of security.
A single vulnerability scan assessment can cost between $1,000 to $10,000. While they’re super convenient and can work in agile SDLCs, automated scanners aren’t the best at finding deep vulnerabilities. To make them work a bit more efficiently, they require a lot of configuration and set-up time. With each report, it also takes time for someone to manually review all the findings and clear out false positives. On the other hand, penetration testing is a vulnerability scanning alternative that guarantees no false positives, works with any application language or framework, and doesn’t require much setup time from the client.
With every penetration test report, your developers will receive an extensive report that contains detailed information about each vulnerability. Developers can use the replication steps in the penetration test report to learn about where vulnerabilities exist and how to find them. If you opt for an extended service such as Penetration Testing as a Service (PTaaS), your developers can also reach out to the security team for consulting advice on new builds, secure design, and patch management support. This helps integrate secure code training into your regular development workflow.
Manual penetration testing is one of the best ways to get deep into your application. If you opt for white box penetration testing where the testers can see your source code, you can increase how many vulnerabilities are found on each test. This isn’t a sign of bad developers - it’s a sign of a great penetration tester! As more vulnerabilities are identified deeper in your systems, the likelihood of a third-party bug bounty finding them decreases significantly. When a bug bounty finds a security gap, you’ll be required to go through responsible ethical disclosure (RED) routines and off payouts, which range in the thousands of dollars.
If you’re working on a legacy application, you might find yourself shocked by the cost of repairing vulnerabilities at this stage. According to the IBM System Science Institute, it’s 100x more expensive to patch a vulnerability at the maintenance stage of an application compared to the design stage. With penetration testing, you can catch vulnerabilities in the implementation and testing stages. And you can leverage security consulting hours in Penetration Testing as a Service (PTaaS) to build secure application design, lowering your cost to the furthest extent. Saving money on remediation can free up a ton of budget and developer time to continue growing your products!
It’s no secret that breaches cost a ton of money, especially if you’re not properly insured. Penetration testing on its own can help you lower the risk of attack, which lowers the likelihood that you’ll need to prepare for a breach. Additionally, proof of a strong security posture through a penetration testing certificate can lower your cyber liability insurance fees, saving your budget here as well.
Calculating the return on investment (ROI) is one of the most valuable yet most difficult parts of proposing a security investment to your CFO. To do so, there are a few key security metrics to consider when proving penetration testing reduces security costs. Some examples of these include:
If you’ve already got a spot for penetration testing in your security budget then great! If not, you can make room for it. Consider first if your company is earning or maintaining compliance. If yes, then there’s likely a need for security testing. If not, then try to find another area of the budget that would no longer be needed if you invested in penetration testing.
CFOs look at four things to know if an expense is going to bring value to their organization, including:
Penetration testing helps reduce risk by providing a detailed overview of your application’s security gaps, and can also help you meet compliance requirements for frameworks like SOC 2, PCI-DSS, HIPAA, ISO 27001, and NIST. While penetration testing may have a cost associated with it, the potential cost of a data breach far outweighs the investment in testing. By identifying vulnerabilities before they can be exploited, organizations can prevent costly breaches and the associated financial and reputational damage.
Security
Can be easily manipulated without detection if not properly secured.
Digitally signed and can be validated on the server. Manipulation can be detected.
Size
Limited to 4KB.
Can contain much more data, up to 8KB.
Dependency
Often used for session data on the server-side. The server needs to store the session map.
Contains all the necessary information in the token. Doesn’t need to store data on the server.
Storage Location
Browser cookie jar.
Local storage or client-side cookie.
No testing strategy is one-size-fits-all. Pentesting in a production environment can provide advantages, though it does come with many risks.
Providing the quality of the biggest names in security without the price tag and complications.
Manual penetration testing
Full time Canadian hackers
Remediation support