You need to prove that your app is secure. Whether you need to prove it to your customers, to your boss, or even just to yourself, you accomplish this by finding security vulnerabilities and then fixing them.
This entails seemingly endless challenges, but that doesn’t mean you need to be isolated in solving them. In the words of leadership author Ken Blanchard, “None of us is as smart as all of us.” Teamwork is the key to your security mission.
Why You Want Both In-House and External Teams
You may expect it to be either one or the other, but that’s not the case. Security is a team sport. External and internal expertise complement each other and magnify each other’s impact.
Your external security partner finds security vulnerabilities; you fix them. Your partner transfers knowledge; you use it to get better. Your external partner is immune to bias as well as the strong opinions of powerful leaders in your company; they just tell you how it is, even if it’s not what you want to hear. You ensure the security mission is supported by executives and key stakeholders.
Together, you and your external partner reduce risk. Together, you communicate with your customers. Together, you transfer knowledge in both directions: your in-house team equips your external team with the information to make them more effective, and your external team equips your in-house team with insights about how to keep getting better. Win-win.
If you already have in-house security experts, fantastic! You’re off to a good start. If you don’t, that’s OK, too. Your external partner serves that function right away and helps you build that capability over time.
Separation of duties is a powerful concept that you already see in other areas of your business: your chief financial officer (CFO) works with external accountants, your general counsel works with outside law firms, and your CEO works with the board and other external advisors. It’s the same idea with outside security experts; they magnify the impact made by internal resources while delivering benefits you can’t get in-house.
How to Find the Perfect Security Partner
I don’t care whether you hire my company as your external security consultant; that’s not the point. I just want you to hire a company. You need that external expertise. However, not all advisors are created equal. Choose carefully. To help you select the right partner, here’s a rough overview of the types of security companies out there:
Products vs. Services.
There are three types of security companies: companies that sell only products, companies that sell only services, and companies that sell both. You can rule out companies that only sell products, as they won’t be suitable as an advisor (note that almost every security program needs products, and I’m not advising you against using products. You’ll need them. However, what we’re talking about here is finding you an advisor. That, by definition, is a service, not a product). Furthermore, be leery of companies that sell both services and products if those services result in buying their product. For example, their consulting might inform you of a security issue that just so happens to be solved by a product they sell. How convenient. This directly undermines the integrity of the recommendation: is this actually what you need, or is this just an underhanded way to sell you their product? This is shockingly common, so beware. I’d recommend you look for a company that only sells services (or sells services and products as long as the products are not the solution to the problems the service will discover).
Tool-Centric vs. Human-Centric.
Your internet searches will be absolutely flooded with “service” companies that really are just running an automated tool. You can’t scan your way to security excellence. Instead, you want to find an advisor who has smart, experienced experts who can help you solve your problems with the creativity that comes with being a human. The work needs to be manual.
Application Security vs. Other Specialties.
Note that some companies will present themselves as experts in everything. Be wary of that; no one is the expert in everything. Most companies, however, do have a specialization, even if they have a wide range of capabilities. Ask what their single strongest area is, and that should help guide you.
How to Choose a Security Partner
Once you’ve narrowed it down to a few potential partners, next you need to vet their capabilities. This is a classic “chicken and egg” scenario: how do you vet the qualifications of a security advisor when you need a security advisor to help you make good security decisions? I won’t lie to you; it will be difficult. But here are some things to look for:
Security research.
The best security consulting firms all publish research that advances the state of the industry. They find vulnerabilities and disclose them to the afflicted company. They make those companies better, and they make the industry better. Look at their website to see what research they’ve published. If there isn’t much, consider ruling them out.
Talks.
Usually an extension of security research, the best security professionals are out there advocating for how to do better. They’re teaching insights, methods, and strategies. They’re speaking at the big security industry conferences such as Black Hat or RSA Conference, the research conferences like DEF CON, or even conferences specific to your industry. Again, look at their websites. Watch a few talks to see if they seem credible to you. If they don’t seem to be giving many talks, consider ruling them out.
Methodology
The best will work in close collaboration with you, rather than operating closed off from you. They know who the attackers are, how they think, and how they operate. This is precisely the mindset you need in order to find and fix your most serious security vulnerabilities. Probe to understand their methodology, and make sure that it echoes these ideas.
Deliverables
The best companies equip you with the reports and documents that you need in order to both reduce risk and earn trust. They give you clarity on the issues found, how severe they are, and what to do about them. If it seems like the deliverable will be an enormous list of scan results without any false positives removed, you’re probably not talking to the right partner; you’re probably talking to someone who uses a tool-based approach. By contrast, if it looks like the application security testing reports and other deliverables will give you the precise plan, simplified so as to be actionable and prioritized by criticality, then you’re probably on the right track.
Look for these traits, and you’ll find a security testing partner who can help you achieve security excellence.
Security is like fitness, and external security experts are like your personal trainers. Although it’s ultimately up to you whether you’ll achieve your fitness goals, your likelihood of success skyrockets when you bring the right attitude and have the right fitness expert helping you. They apply years of experience. They point out where your form is bad and help you fix it. They hold you accountable. They make you better.
That’s exactly what security is like, too.
How you think determines what you achieve: pair in-house experts with external experts as you pursue security excellence. Together, they allow you to achieve your security mission.
While you’re here, check out our ethical hacking services. If we’re good enough to work for Amazon, Netflix, and Google, we may be good enough for your company, too.
Content adapted from:
