editione1.0.0
Updated October 9, 2023Most early-stage companies don’t have a dedicated security person, let alone someone who specializes in application or software security. It’s common for security to be part of another role or a shared responsibility in those first years, and while that’s not the end of the world, it doesn’t necessarily mean your team has the right specialist skills to help you secure your applications.
In this section, we will take a look at the sorts of external help you can use to support your software development lifecycle and how to get the most out of this process.
| Service | Aim | Typical Outcomes |
|---|---|---|
| Design and Architecture Reviews | Review the design or proposed architecture of your software before it is built or before significant changes are made. | Identifies potential vulnerabilities before the software is built to allow you to plan design changes or monitoring approaches. |
| Vulnerability Assessment | Use automated tools to frequently review your built and deployed software to identify “low-hanging fruit,” or common, simple-to-exploit vulnerabilities. | A list of potential vulnerabilities in your software that can be investigated and addressed. |
| Penetration Testing | The use of a specialist training team or professional to simulate the process taken by an attacker and identify vulnerabilities in your application. | A report documenting specific, confirmed vulnerabilities identified in your software, how they were found and recommendations for their remediation. |
| Bug Bounty Programs | The provision of a managed program for security researchers. This program will incentivize researchers to investigate and find vulnerabilities in your software in return for cash or other rewards. | Documented vulnerability submissions from a global community of security researchers. |
| Development Lifecycle Consultancy | Reviewing your software development process to identify changes or additions that can be made to increase the presence of security and increase the likelihood that vulnerabilities are identified before release. | Reports or findings that document proposed improvements to your software development lifecycle. In some cases, engineers may be available to implement the suggested changes alongside your team. |
Much has been written about each of these service types and their advantages and disadvantages. Use the above guide as a starting point and work with external security assurance companies or consultants to explore how their offerings work and their proposed costs and benefits.
When engaging with an external security service provider, remember you need to shop around and make sure the provider is the right fit for your team, maturity, and needs.
Here are some questions you may want to ask before you engage:
What services do they offer and how do they differ from each other?
What standards and frameworks do they follow?
Do they have reference clients you can speak to who are in a similar position, maturity level, sector, or size?
How much do their services cost and how long will they take (in terms of days of effort)?
Does their assessment include the ability to have your improvements or remediation efforts checked (often known as remediation testing)?
Where is the team located? Do they do the work themselves or do they outsource?
What will your organization need to have in place before the work starts?
Can you see a sample or anonymized report from a previous engagement of this type?
Shop around, there are many providers and each has a different style. There are hundreds of different companies providing security services ranging from big name consultancies to boutique specialists. Shop around and find an organization that understands your company’s age and stage, and whose communications and culture compliments your own. Disconnected experiences and culture will result in findings and recommendations that won’t work for your context, making them hard to implement or ineffective.
Don’t buy based on price alone. Like any service industry, there are a range of prices to choose from. While you may be budget conscious, don’t choose based purely on price. As many of our parents once taught us, sometimes you get what you pay for. If choosing based on price, it is doubly important you check their references thoroughly before engaging.
Ask them to integrate with your workflows. Most service providers will give you a beautifully formatted PDF document of your findings, which will appeal to boards and auditors. However if your team is more Jira than Adobe Acrobat, you might waste a lot of time importing findings between systems. Ask for your results in formats that can be easily uploaded into your tool chains, such as CSV formats. If the provider doesn’t understand why this would matter, see point 1 above, they probably aren’t a good cultural fit.
Be open and forthcoming. Remember that most engagements are time-bound and if your system is complex, that can be a lot to cover. Giving your service provider a guide to sensitive areas or areas of concern can help you chase down high-value issues and focus the effort. The same can be said for sharing vulnerabilities you already know about; don’t pay someone to confirm what you already know, let them know in advance and help them explore other areas.
Have a documented contract and ensure they are insured. I know, you already have too much to do, and drawing up and reviewing contracts feels like more effort. In this case however, it is worth it. Contracts with external security providers document who is responsible for vulnerabilities if they are missed in testing and where liability is covered by insurance. Take the time, check the contract, and check they are registered and insured with appropriate levels of professional and technical insurances.
Check their references. Get on the phone, do a video chat, or go for a coffee. Ask about their experiences (good and bad), whether they felt they had good value, and whether they would recommend the service again. Where possible, also double-check in your technical communities for any impartial recommendations that have not come from your vendor themselves.
Rotate providers regularly to keep things fresh. Sadly, external security services are often something we need on a regular basis. Whether that’s because our platform is evolving or because we are covered by a compliance scheme with a frequent audit requirement, this is not a one-off affair. While it’s great to have a trusted provider, remember that reviewing and testing things you are overly familiar with is very hard. Get fresh eyes on your company and systems by rotating providers at regular intervals to avoid over familiarity.
Remember than an empty report/no findings is not necessarily a good thing. Sorry, but if they don’t find anything, this is cause to be cautious and skeptical rather than proud and excited. Don’t hope for an empty report—hope for a short report with a few very context-specific bugs that your external specialist had to work hard to find. That’s the sign of a good relationship and a high-quality engagement.
Ask questions from your provider and encourage them to be coaches. There is no magic in security. Nothing we do is “secret sauce” or “too sensitive to share.” Find a partner who is transparent and shares their approaches. This gives you confidence in their frameworks and standards, and offers your team the chance to learn from the engagement.
With security, as with most things, once our software has been delivered and we are happily serving our customers, our job has only just begun. Security is important for the life of the application or system, which (we hope) is for many years to come.
All internet-exposed systems are subject to security activity, and it’s important that you spend some time thinking about how you and your team will identify when such activities are taking place. The sooner you know, the sooner you and your team can respond and protect your systems and data from harm.