Tuesday, 15 September 2020

How to slash the cost of penetration testing for web apps & mobile apps

The two most commonly cited reasons by CTOs, software engineering managers and SaaS executives for not conducting penetration tests on their cloud software and mobile apps are:
  1. We've never been hacked - why would we spend on penetration testing?
  2. Penetration testing is too expensive, I can't afford it.

Are you being ignorant about investing in penetration testing?

On face value, both reasons sound reasonable. But let's quickly tackle the first, which I think is a case of ignorance.

Ask yourself, do you only get car insurance for your car after it gets stolen? 

As hackers become more sophisticated and strategic, in many cases companies don't even know they have been hacked for months on end. The recent attacks on Instacart and Nutribullet are classic examples of why it doesn't pay to take a "head in the sand" approach to your application security. 

The risk of being attacked, anecdotally at least, is even higher when you publicise a successful capital raising, investment discussions or acquisition talks. 

As our co-founder Ayush Trivedi put it:
Application security investments are like insurance policies. The annual payments might rankle you, but you end up smiling ear to ear when that same policy helps you dodge one of life's unexpected fires.
Ayush Trivedi, Cofounder & Director, Audacix

How expensive is penetration testing for web apps?

Most people answer this question in the most simplest terms: that a penetration testing services provider charges x amount for a project, therefore penetration costs x amount. 

But it's never that simple. That figure above doesn't consider important contributing factors and the potential costs of inaction (all figures from a recent IBM cyber security survey):
  • It takes companies 197 days to identify and 69 days to contain a breach.
  • The cost alone of notifying customers about a hack averages about $740,000 in the United States.
  • The average cost per lost or stolen record is $148.
  • Companies that deploy security automation have a 55% lower average breach cost than those that don't.
  • On top of remediation costs, you will be fined. Fines will vary depending on where you are based, but if you fall under GDPR regulations then you could be fined €20 million or 4% of your company’s worldwide annual revenue of the previous financial year.
I think you will agree that paying even a 5-figure amount for web app penetration testing is more palatable than shelling out for the costs above!

The one cost that can't be accurately measured is the cost of embarrassment that comes from having to tell your customers that your SaaS has been hacked. Depending on which study you believe, up to 86% of companies will not do business with another company that has had a notifable breach. 

But is there a growth upside to having having a robust application security program?

Absolutely there is and unfortunately this upside is often undervalue or forgotten altogether when SaaS executives evaluate if and when they want to invest in penetration testing. 

Our B2B web application penetration testing clients, particularly those that sell to large enterprises, have reported cutting deal cycle times by up to 33% by being able to demonstrate that they have a robust AppSec program in place.

Some clients have even used their improved security resilience to differentiate their offering in their industry. Can you imagine the confidence your prospects will have in your SaaS solution when you make it a point to talk about your security resilience while your competitors are trying to hide theirs?

The IBM Security survey results presented in the infographic above proves that your sales prospects want the data they store with you to be secure. 

Why not give them what they want by showing them all that you do to protect their sensitive data? Surely that level of assurance can only lead to faster sales and larger deals, right?

Is penetration testing expensive?

It is true that a full, grey-box manual penetration test for a reasonably sized and complex application takes at least week. The security tester is a highly qualified and credentialed expert and they use very specialised and high-tech software (and hardware for when testing mobile apps and IoT devices).

When you consider that, according to IBM, the average cost of an application security breach is north of $3 million, the amount you spend on a pentest for your cloud application will be a fraction of the cost of a breach.

But pen testing projects are like most things in life, you get what you pay for. That's why it's important that your penetration testing service provider asks you the right questions before starting the project. This is why we ask questions like those below to ensure that our clients have the highest ROI from their pentesting projects.

So what is the real cost of penetration testing?

Penetration testing costs vary depending on the application that needs to be tested and a few other key questions about the nature of the outcomes you want to achieve:
  1. Is your goal just a secure app or are you looking for a different ROI?
  2. Do you know the frameworks against which you want your penetration tests performed?
  3. What outcomes will help your dev team minimise the time they spend fixing security vulnerabilities?
  4. Do you want an automated vulnerability scan or full grey-box penetration testing?
  5. Do you have accreditations like ISO27001 or SOC2 that require this pen test?
  6. What user stories/data in your application do you consider high risk?
  7. How will you ensure that vulnerabilities don't re-appear during future sprints?
With so many variables to consider, you can understand why it is so difficult to provide just one cost for a web or mobile app penetration testing project.

However, as a general rule of thumb, penetration testing for a very "simple" single server/database web application with less than 10 pages, no publicly exposed APIs and 1-2 user roles will cost you approximately US$5000. If you are quoted an amount less than this you should ask the pentest service provider serious questions about the robustness, relevance and worth of the pen test that they are quoting you for, because it might just be worthless.

Large, sophisticated and complex applications that have web, plus Android, plus iOS variants can have much higher penetration testing costs. If you have many public API endpoints that will also add to your penetration testing costs, although this will be a very worthwhile exercise because publicly exposed APIs introduce a whole new level of information security risks. Penetration tests for complex and sophisticated applications can cost in excess of $30000.

You can use our free penetration test consultation and quote process to understand your options and do some budgetary planning.

Just as not all car mechanics are skilled or accredited to work on all types of cars, not all penetration testers have the know-how and experience to conduct penetration tests on all types of cloud applications. 

How can I reduce penetration testing costs for cloud software?

This is a great question and unfortunately one that is not asked nearly often enough, despite the fact that bargaining usually doesn't work well in this scenario. 

Contrary to popular belief, penetration testing is just one element (although still an important element) of a cohesive and effective modern application security program. 

You can do three simple things to ensure that your penetration testing expenses are minimised on a per-project basis or because you have to conduct fewer penetration tests throughout the year:
  1. Build application security into your product development process, right from the design phase. Exploit this easy-to-use application security checklist to ensure your team is incorporating all the necessary security controls into your cloud software.
  2. Ensure that your web application and its infrastructure is configured with the right HTTP security headers - these headers are your first line of defence and will help your application repel many attempted attacks. Use this free HTTP security header analysis tool to conduct your audit.
  3. Conduct regular vulnerability scans on your application and infrastructure using smart, cloud-based automated penetration testing tools like Cyber Chief.

Putting this structure in place can be daunting. If you need to get help from application security experts who have helped do this for many companies just like yours, take advantage of our free penetration test consultation and quote process.

You will leave this consult with a clear picture of how each piece of the AppSec puzzle fits together. You will also clearly understand what your team can do by itself to improve your software's security resilience and where you will need help. Last, but definitely not the least, you will be able to get confirmed investment amounts for each part of your AppSec puzzle.