Establishing and maintaining an application security program is one of the most challenging undertakings for any security team. The dynamic nature of applications and the amount of data associated with them makes security a never-ending project. Generating high quality results is critical to a program’s success. False positives, incomplete findings, and sheer volume compound the problem.
What Makes Results High Quality and Why Is It So Hard to Achieve?
The goal of any security program is to protect critical information and assets while constantly reducing risk to the business. The first step to achieving this goal is high quality results. What does that mean in the real world?
- Results that are easy to action: Clear direction improves mean time to remediation, one of the metrics that C-levels and Boards like to track. Closed vulnerabilities reduce risk.
- Results that don’t repeat themselves: Deduplication means security teams are addressing the root cause of an issue, not chasing it across multiple tools.
- Results that are prioritized and contextualized: Vulnerabilities do not impact organizations equally. Ensure that your team can easily triage and rank those issues that matter most. Focusing on areas that put your data at most risk will increase your security posture without extra effort.
Organizations remain challenged to attain high quality results. What makes this so hard to achieve? As an industry, we need to improve the way we create and market tools to improve the confidence of security professionals and deliver better outcomes. A confluence of issues keeps the bar high.
- Tools with noisy results: Most enterprises have a minimum of six tools for vulnerability assessment. That’s six times the results, six times the false positives, and six times the alerts. Add the distillation and management of all that information to the mix, and security teams quickly get overwhelmed.
- Breadth of security coverage needed: Security teams are required to track vulnerabilities across an ever-expanding portfolio of applications, infrastructure and networks. They need tools that enable them to efficiently and scalably manage data.
- Buzzword-heavy industry: Consumers are bombarded with a flood of buzzwords that provide little clarity into the actual value of the products they are purchasing. ASPM, DevSecOps, and Vulnerability Management are variations on the same theme. Vendors who offer solutions with clear ROI simplify the life of the security professional.
How Do Low Quality Results Impact Teams and the Business?
Security teams that have not been able to refine and upgrade their results, face impacts to their careers and the overall business. These impacts can range from minor to irreparable.
- Reputational damage: Breaches cost 20x more than tools on average which is significant, but many companies never recover from the reputational damage and erosion of customer trust. If you don’t have a holistic view of your security posture, you are putting your company at risk.
- Obfuscate real risks to the company: Similarly, not knowing your risks because of low quality results can give a false sense of security, leaving the organization exposed.
- Lost trust with internal constituents: Developers don’t focus on security. In order to maintain a positive relationship, security must send real issues or risk losing trust. That could lead developers to ignore future security requests and perpetuate the myth of security as a cost center.
How Can Enterprises Improve Tool Selection? What is the impact of choosing the wrong tools?
Understanding why results matter and what comprises a high quality security result are the foundation of a successful program. The next step is to optimize your tool selection based on a few critical criteria.
- Coverage: Invest in tools that give you the most coverage for your budget. Supplement with niche tools when you can. Some teams make the mistake of sacrificing coverage for shiny niche tools, leaving critical areas exposed. The right tools at the right scale prevent breaches.
- Actionable Information: The best tools make you and your team proactive vs. reactive. Keep pace with your dynamic vulnerability management environment and manage risk better with accurate, validated information.
- Return on Investment: Determine metrics to evaluate the value of your tools. One example is utility cost per finding or scan.
Getting to Security Bliss with Better Results
With the best tools procured and the best results in hand, what’s next? Establish KPIs that enable you to properly measure and report progress and performance of your security program. Considerations include:
- Coverage percentage: Identify all your applications and map your tools to ensure maximum coverage.
- Mean time to remediation: An effective program based on accurate, actionable results will lower MTTR over time, reducing risk exposure.
- Security team time allocation: In the end, your security team should spend less time combing through spreadsheets and tracking vulnerabilities, and more time on security strategy.
Whether you’re initiating an application security program or years-deep into the process, high quality results must be at the forefront of your efforts. With the right tools and a strong plan, you can upgrade your security posture, improve your customer relationships, and simplify security and compliance process for your organization.