SlideShare a Scribd company logo

managed-services-buying-guide

Marie Peters
Marie Peters
1 of 10
Download to read offline
Managed Services Buying Guide Managing security risk can feel like climbing a mountain. The terrain is rocky and the grade is uneven. Conditions can change suddenly, making it difficult to reach your goal. Even the most experienced climbers travel together to share the burden.
© 2016 Cigital | www.cigital.com | a j c b 2 If you’re considering using managed services to address your cyber risk, you’re in good company. In the past year, 47% of companies used managed services for cyber security, up from 43% in 2014.2 It is more challenging than ever to keep your sensitive information and assets safe from cyber threats. There is a worldwide shortage of cyber security experts that reaches $1 billion in unfilled positions.1 Staffing an internal security team is expensive, particularly when you need experts that understand a range of potential threats and security strategies. It’s best to climb the mountain with a team to support you. Managed security services partners support a variety of cyber security tasks, including Identity and Access Management (IAM), Incident Response (IR), and Security Information and Event Management (SIM). These efforts are an important part of an overall security plan for companies that can’t afford capital expenditures to purchase tools or build out a Security Operations Center. That said, these types of managed services activities are typically passive. They involve monitoring and responding, not proactive work to lower the risk of a cyber attack. They also tend to ignore the one of the most important areas of security risk – applications. Why seek support from a managed service? Ninety-two percent of reported security vulnerabilities are lurking in applications, not in networks.3 Yet most companies do not have the deep skill set or the appropriate tools to address application security risk. What’s more, testing demands ebb and flow. When new threats come on the scene or business changes invite new risk, an internal team has only a fixed capacity to address vulnerabilities. Launches may be delayed if your team can’t keep up. On the other hand, if you staff up to meet short need, you may be overspending when demand decreases. A managed services partner who is a specialist in application security offers proactive security testing for web and mobile applications including static (SAST) and dynamic (DAST) assessments as well as manual business logic testing. In addition, a partner offers remediation guidance to fix software security bugs or flaws so you can prevent attacks before they happen.
© 2016 Cigital | www.cigital.com | a j c b 3 Shifting from an in-house application security solution to a managed services model is a big decision. The assumptions you use to compare costs and benefits depend in great part on the partner you select. Use this Buying Guide to make sure the vendor you choose helps you reach the mountaintop – and realize the return you expect. It’s best to climb the mountain with a team to support you. Before you select a vendor, there are a host of questions to answer, requirements to define, and options to consider. Use the following as a framework for your discussions. 1 How do you test for vulnerabilities? Why it’s important to ask: Finding a managed services partner that has deep expertise in application security is key. A combination of tools and expert-driven manual analysis based on business context identifies and qualifies vulnerabilities in ways automated tests alone cannot. With this approach, results are true positives and remediation guidance is actionable. What to look for: A managed services partner that is a specialist in application security offers security testing for web and mobile applications including static (SAST) and dynamic (DAST) assessments as well as manual business logic testing for multi-step attacks. A managed services provider with broad responsibility for your application security shouldn’t just test individual apps. Rather, they should investigate your system architecture to flag vulnerabilities that occur when applications share information or rely on the same controls. Hybrid application and network testing is going to become more important for security, particularly as the Internet of Things (IoT) impacts how applications are accessed. Look for a managed services provider that also offers network-level assessment services. They should search for vulnerabilities in key areas such as router filtering, firewall filtering, visible network services, operating system software flaws, server application software flaws, known configuration errors, access management, and authentication controls. How to Choose the Right Partner for Your Security Journey
© 2016 Cigital | www.cigital.com | a j c b 4 2 What is your pricing structure? Why it’s important to ask: Pricing for application security services should be transparent. Pricing against a standard set of requirements will help you make an apples-to-apples comparison of any managed services proposal you receive. The clearer the requirements are between you and a vendor, the more likely you are to receive the value you expect. What to look for: The amount you pay a managed services provider can depend on a variety of factors, such as: • Number of applications you expect to test • Mix of web and mobile applications • Number of applications that require in-depth, manual testing and business logic testing • Time period you want to conduct testing • Turnaround time you require to receive testing results • Type and quality of findings reports • Whether read-out calls with developers are included • Whether retests are included • How often business or product changes will impact application security, such as release schedules • Location that may impact compliance considerations or legal concerns impacting data storage • If you require services other than application testing and remediation, such as threat modeling or network penetration testing Once you have a common set of requirements, you can choose a partner based on expertise and approach. A partner that provides true positives and actionable advice may be more expensive than one who hands you a report of bugs and flaws with little guidance. However, with the right vendor your overall costs should decrease, as the time and effort for finding and fixing vulnerabilities will go down. With the right vendor your overall costs should decrease, as the time and effort for finding and fixing vulnerabilities will go down.
© 2016 Cigital | www.cigital.com | a j c b 5 5 How do you address varying levels of criticality across an application portfolio? Why it’s important to ask: Not all applications require the same level of testing. If your partner tests all applications in the same way, you could be overspending. Time and budget could be better spent testing applications at an appropriate level. What to look for: Your partner should provide multiple levels of application security testing, from automated scanning that identifies common vulnerabilities to in-depth manual testing that focuses on business logic testing and exploiting application functionality. They should apply the appropriate level to each application. 6 Who will be on my account’s team? Why it’s important to ask? You rely on your managed services partner to stay up to date on the latest cyber threats and risk management strategies. The quality of service you receive is dependent on the expertise of the staff as well as their ability to apply that knowledge to your business and your applications. vendors may also offer packages that provide unlimited testing at any depth so that you don’t need to worry about costs increasing if your needs change. 4 How will you help us determine our priorities? Why it’s important to ask: Without prioritization, your team may spend countless hours trying to fix vulnerabilities that have little impact on your business, while ignoring others that introduce greater risk. What to look for: Findings from security assessments should have a standard severity rating scale and consistent read-outs so your team knows where to start remediation efforts. 3 How predictable will the budget be? Why it’s important to ask: Once you and your managed services partner agree on a price for services, you should be able to structure an agreement with a predictable price. You should not have to pay extra for customized reports and remediation of bugs and flaws or other hidden fees that catch you by surprise. What to look for: Your managed services provider should work with you to set up an agreement that incorporates diverse applications at varying levels of testing depth, covering multiple testing cycles. If you have unanticipated testing needs, you should be able to add a la carte services easily at a predetermined price. Some
© 2016 Cigital | www.cigital.com | a j c b 6 What to look for: Your managed services partner should have engagement management and technical delivery staff with deep technical expertise, covering a breadth of technologies and business domains. They should take the time to build a relationship with your team in order to transfer knowledge most effectively. Your partner should offer an option to set up a credentialed pool of staff who will be the only staff accessing your data. 7 What types of assessment tools do you use? Why it’s important to ask: Some vendors use only tools they sell, or apply a simplistic approach to tool-based scans. The truth is, applications cannot be covered by one tool, whether they are related to banking, point- of-sale systems, or other business functions. Even for a single application, different tools may catch different vulnerabilities. Eliminating false positives requires tuning tools to your situation and comparing results of different tools against each other. What to look for: Look for a managed services provider to employ a combination of commercial, internally developed, and open-source tools so that they can serve the most appropriate testing techniques for the application under test. They should be able to customize rule sets to get the most out of a tool for your situation. Don’t let a managed services partner lock you into using a tool that they sell. If you have a tool you prefer, make sure they can use that as well. 8 What is your process to schedule or change requests for tests? Why it’s important to ask: You shouldn’t have to give up visibility or control over application security testing just because you are using a third party to help with execution. What to look for: Managed service providers should make it easy for you to control the assessment schedule and see status of tests requested or in progress. Commonly a managed services provider will offer a web-based portal for you to access and make changes at any time. Ask for a demonstration so you can test it out before making a decision. 9 How quickly will you provide results? Why it’s important to ask: You should expect a reliable, consistent time frame so that you can plan ahead and development does not slow.
© 2016 Cigital | www.cigital.com | a j c b 7 What to look for: The answer will likely depend on the test depth required but you should expect results within three to five business days after test completion. The key is that your managed service provider should integrate the testing process with your development flow, regardless of your development methodology. For production tests, your provider should notify you immediately after qualifying the findings. 10 What deliverables are included with the results? Why it’s important to ask: Clarify with any potential partner that results for your tests will not simply offer a list of issues and generalized advice. Results will be much more valuable and save time in the long run if they help developers understand reported issues and more importantly, how to fix them. What to look for: Ask any potential provider for sample assessment reports. Reports should point out specific areas of risk and include detailed and relevant remediation guidance that goes beyond a list of findings. They should include analysis of aggregate issues to identify trends and systemic problems. To be most effective, results should include an active discussion between assessors and developers in the form of read-out calls. On an ongoing basis, your partner should provide on-demand remediation support. A proactive managed services provider will also deliver reports so that you can compare performance of different business units and demonstrate improvement over time. 11 How will your remote team access our confidential information? Why it’s important to ask: Your customers and employees put their faith in you to keep their information secure. Any partner you choose must take confidentially and data privacy as seriously as you do. What to look for: They should be able to provide options for accessing applications, whether that is via the cloud, or with a pool of staff provisioned with your laptop and VPN credentials for remote access.
© 2016 Cigital | www.cigital.com | a j c b 8 1.“Information Security Jobs Unfilled as Labor Pains Grow,” Search Security, April 2015 2. Comptia 4th Annual Trends in Managed Services 3. NIST 12 What solutions do you provide that will help us reach our goals in the future? Why it’s important to ask: Not all managed services providers offer solutions to help your developers become more proficient at building security into their process. The more effectively you can help developers build secure software, the less time and money it will take to fix issues. What to look for: Your managed services partner should offer many options for remediation advice, from read- out calls to an on-demand help desk. They may also have additional consulting or training services to help you grow your software security initiative. Don’t Make the Decision Alone Remember that the team braving the security mountain includes multiple climbing parties, including different functions and business units inside your organization. As you gather resources to support the climb, an important part of the buying process is sharing a vision of success and gaining acceptance from your security staff, the development team, and executive leadership. Include stakeholders from different departments in the vendor selection process to make sure they are comfortable that you have addressed their needs. The more involved they are in early stages, the better prepared they will be to work together with a new partner. To ensure you’ll get the budget and executive support you’ll need, make sure you can demonstrate to company leadership that you’ll get the most return on your investment with the vendor you choose. As a result, you’ll pave the way for a successful transition that reduces risk and elevates security in the culture of your organization. You’ll be well on your way to the security mountaintop.
© 2016 Cigital | www.cigital.com | a j c b 9 Next Steps Once you’ve decided to move forward with a managed services partner, you’ll need to gain the support of your leadership team. Demonstrate return on investment for managed services and have a successful conversation with your Board of Directors about your application security needs. SEE HOW
© 2016 Cigital | www.cigital.com | a j c b 10 Cigital is one of the world’s largest application security firms. We go beyond traditional testing services to help organizations identify, remediate, and prevent vulnerabilities in the applications that power their business. Our holistic approach to application security offers a balance of managed services, professional services, and products tailored to fit your specific needs. We don’t stop when the test is over. Our experts also provide remediation guidance, program design services, and training that empower you to build and maintain secure applications. For more information visit us at https://www.cigital.com THE CIGITAL DIFFERENCE

Recommended

The Next Generation of Submission Intake and Clearance
The Next Generation of Submission Intake and ClearanceThe Next Generation of Submission Intake and Clearance
The Next Generation of Submission Intake and Clearance
Guidewire Software (formerly FirstBest Systems, Inc.)
 
CIA Quebec 11 Sept 2015 Presentation C Louis Final
CIA Quebec 11 Sept 2015 Presentation C Louis FinalCIA Quebec 11 Sept 2015 Presentation C Louis Final
CIA Quebec 11 Sept 2015 Presentation C Louis Final
Claire Louis
 
Legal Firms and the Struggle to Protect Sensitive Data
Legal Firms and the Struggle to Protect Sensitive DataLegal Firms and the Struggle to Protect Sensitive Data
Legal Firms and the Struggle to Protect Sensitive Data
Kayla Catron
 
Legal Firms and the Struggle to Protect Sensitive Data
Legal Firms and the Struggle to Protect Sensitive DataLegal Firms and the Struggle to Protect Sensitive Data
Legal Firms and the Struggle to Protect Sensitive Data
Bluelock
 
Ten Ways to Improve Specialty Lines Underwriting
Ten Ways to Improve Specialty Lines UnderwritingTen Ways to Improve Specialty Lines Underwriting
Ten Ways to Improve Specialty Lines Underwriting
Guidewire Software (formerly FirstBest Systems, Inc.)
 
Capgemini Consulting Claims Ops Model Alignment Program 3 13 2015
Capgemini Consulting Claims Ops Model Alignment Program 3 13 2015Capgemini Consulting Claims Ops Model Alignment Program 3 13 2015
Capgemini Consulting Claims Ops Model Alignment Program 3 13 2015
Claire Louis
 
UpGuard - Complete Guide to Vendor Questionnaires
UpGuard - Complete Guide to Vendor QuestionnairesUpGuard - Complete Guide to Vendor Questionnaires
UpGuard - Complete Guide to Vendor Questionnaires
Mike Baukes
 
Business Mashups, or Mashup Business?
Business Mashups, or Mashup Business?Business Mashups, or Mashup Business?
Business Mashups, or Mashup Business?
guestc65425
 

Recommended

The Next Generation of Submission Intake and Clearance
The Next Generation of Submission Intake and ClearanceThe Next Generation of Submission Intake and Clearance
The Next Generation of Submission Intake and Clearance
Guidewire Software (formerly FirstBest Systems, Inc.)
 
CIA Quebec 11 Sept 2015 Presentation C Louis Final
CIA Quebec 11 Sept 2015 Presentation C Louis FinalCIA Quebec 11 Sept 2015 Presentation C Louis Final
CIA Quebec 11 Sept 2015 Presentation C Louis Final
Claire Louis
 
Legal Firms and the Struggle to Protect Sensitive Data
Legal Firms and the Struggle to Protect Sensitive DataLegal Firms and the Struggle to Protect Sensitive Data
Legal Firms and the Struggle to Protect Sensitive Data
Kayla Catron
 
Legal Firms and the Struggle to Protect Sensitive Data
Legal Firms and the Struggle to Protect Sensitive DataLegal Firms and the Struggle to Protect Sensitive Data
Legal Firms and the Struggle to Protect Sensitive Data
Bluelock
 
Ten Ways to Improve Specialty Lines Underwriting
Ten Ways to Improve Specialty Lines UnderwritingTen Ways to Improve Specialty Lines Underwriting
Ten Ways to Improve Specialty Lines Underwriting
Guidewire Software (formerly FirstBest Systems, Inc.)
 
Capgemini Consulting Claims Ops Model Alignment Program 3 13 2015
Capgemini Consulting Claims Ops Model Alignment Program 3 13 2015Capgemini Consulting Claims Ops Model Alignment Program 3 13 2015
Capgemini Consulting Claims Ops Model Alignment Program 3 13 2015
Claire Louis
 
UpGuard - Complete Guide to Vendor Questionnaires
UpGuard - Complete Guide to Vendor QuestionnairesUpGuard - Complete Guide to Vendor Questionnaires
UpGuard - Complete Guide to Vendor Questionnaires
Mike Baukes
 
Business Mashups, or Mashup Business?
Business Mashups, or Mashup Business?Business Mashups, or Mashup Business?
Business Mashups, or Mashup Business?
guestc65425
 
Top 8 Ways to Improve Underwriting Workflow
Top 8 Ways to Improve Underwriting WorkflowTop 8 Ways to Improve Underwriting Workflow
Top 8 Ways to Improve Underwriting Workflow
Guidewire Software (formerly FirstBest Systems, Inc.)
 
IT due diligence for private equity firm
IT due diligence for private equity firmIT due diligence for private equity firm
IT due diligence for private equity firm
WGroup
 
The Right System
The Right SystemThe Right System
The Right System
robrossi
 
Commercial Insurance Underwriting Business Process As Is Current State Diagra...
Commercial Insurance Underwriting Business Process As Is Current State Diagra...Commercial Insurance Underwriting Business Process As Is Current State Diagra...
Commercial Insurance Underwriting Business Process As Is Current State Diagra...
Theresa Leopold
 
Static Testing: We Know It Works, So Why Don’t We Use It?
Static Testing: We Know It Works, So Why Don’t We Use It?Static Testing: We Know It Works, So Why Don’t We Use It?
Static Testing: We Know It Works, So Why Don’t We Use It?
TechWell
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
West Monroe Partners
 
The prominence of it lifecycle assurance
The prominence of it lifecycle assuranceThe prominence of it lifecycle assurance
The prominence of it lifecycle assurance
Maveric Systems
 
P&C Claims Automation Solution - A Competitive Advantage
P&C Claims Automation Solution - A Competitive AdvantageP&C Claims Automation Solution - A Competitive Advantage
P&C Claims Automation Solution - A Competitive Advantage
Paragon Solutions
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Corporater
 
Insurance Claims Management: Improving Staff Capacity Using BPM
Insurance Claims Management: Improving Staff Capacity Using BPMInsurance Claims Management: Improving Staff Capacity Using BPM
Insurance Claims Management: Improving Staff Capacity Using BPM
Cognizant
 
Test_Engineer
Test_EngineerTest_Engineer
Test_Engineer
MAHESH CHINTALA
 
Detect Early Stress in Borrower Accounts
Detect Early Stress in Borrower Accounts Detect Early Stress in Borrower Accounts
Detect Early Stress in Borrower Accounts
Pratham Software (PSI)
 
SMART overview_ESG risk
SMART overview_ESG riskSMART overview_ESG risk
SMART overview_ESG risk
Paul Wenman
 
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
WCapra
 
ArrowMiner FAQs
ArrowMiner FAQsArrowMiner FAQs
ArrowMiner FAQs
dtsiolis
 
Procedural Risk Management
Procedural Risk ManagementProcedural Risk Management
Procedural Risk Management
Louis A. Poulin
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSA
Maganathin Veeraragaloo
 
Overview Of Benchmatrix Products And Services
Overview Of Benchmatrix Products And ServicesOverview Of Benchmatrix Products And Services
Overview Of Benchmatrix Products And Services
Waqas Zafar
 
How It All Ties Together Sun Idm Roadshow For Sun
How It All Ties Together Sun Idm Roadshow For SunHow It All Ties Together Sun Idm Roadshow For Sun
How It All Ties Together Sun Idm Roadshow For Sun
vijaychn
 
Ta2.11 zeitz.16 jan17_unwdf_gis_event
Ta2.11 zeitz.16 jan17_unwdf_gis_eventTa2.11 zeitz.16 jan17_unwdf_gis_event
Ta2.11 zeitz.16 jan17_unwdf_gis_event
Statistics South Africa
 
University Makerspaces Serving the Community 服务社区的高校创客空间
University Makerspaces Serving the Community 服务社区的高校创客空间University Makerspaces Serving the Community 服务社区的高校创客空间
University Makerspaces Serving the Community 服务社区的高校创客空间
Patrick "Tod" Colegrove
 
Edgar
EdgarEdgar
Edgar
Edgar González
 

More Related Content

What's hot

Commercial Insurance Underwriting Business Process As Is Current State Diagra...
Commercial Insurance Underwriting Business Process As Is Current State Diagra...Commercial Insurance Underwriting Business Process As Is Current State Diagra...
Commercial Insurance Underwriting Business Process As Is Current State Diagra...
Theresa Leopold
 
Static Testing: We Know It Works, So Why Don’t We Use It?
Static Testing: We Know It Works, So Why Don’t We Use It?Static Testing: We Know It Works, So Why Don’t We Use It?
Static Testing: We Know It Works, So Why Don’t We Use It?
TechWell
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Corporater
 
SMART overview_ESG risk
SMART overview_ESG riskSMART overview_ESG risk
SMART overview_ESG risk
Paul Wenman
 
Overview Of Benchmatrix Products And Services
Overview Of Benchmatrix Products And ServicesOverview Of Benchmatrix Products And Services
Overview Of Benchmatrix Products And Services
Waqas Zafar
 
How It All Ties Together Sun Idm Roadshow For Sun
How It All Ties Together Sun Idm Roadshow For SunHow It All Ties Together Sun Idm Roadshow For Sun
How It All Ties Together Sun Idm Roadshow For Sun
vijaychn
 

What's hot (19)

Top 8 Ways to Improve Underwriting Workflow
Top 8 Ways to Improve Underwriting WorkflowTop 8 Ways to Improve Underwriting Workflow
Top 8 Ways to Improve Underwriting Workflow
 
IT due diligence for private equity firm
IT due diligence for private equity firmIT due diligence for private equity firm
IT due diligence for private equity firm
 
The Right System
The Right SystemThe Right System
The Right System
 
Commercial Insurance Underwriting Business Process As Is Current State Diagra...
Commercial Insurance Underwriting Business Process As Is Current State Diagra...Commercial Insurance Underwriting Business Process As Is Current State Diagra...
Commercial Insurance Underwriting Business Process As Is Current State Diagra...
 
Static Testing: We Know It Works, So Why Don’t We Use It?
Static Testing: We Know It Works, So Why Don’t We Use It?Static Testing: We Know It Works, So Why Don’t We Use It?
Static Testing: We Know It Works, So Why Don’t We Use It?
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
 
The prominence of it lifecycle assurance
The prominence of it lifecycle assuranceThe prominence of it lifecycle assurance
The prominence of it lifecycle assurance
 
P&C Claims Automation Solution - A Competitive Advantage
P&C Claims Automation Solution - A Competitive AdvantageP&C Claims Automation Solution - A Competitive Advantage
P&C Claims Automation Solution - A Competitive Advantage
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
 
Insurance Claims Management: Improving Staff Capacity Using BPM
Insurance Claims Management: Improving Staff Capacity Using BPMInsurance Claims Management: Improving Staff Capacity Using BPM
Insurance Claims Management: Improving Staff Capacity Using BPM
 
Test_Engineer
Test_EngineerTest_Engineer
Test_Engineer
 
Detect Early Stress in Borrower Accounts
Detect Early Stress in Borrower Accounts Detect Early Stress in Borrower Accounts
Detect Early Stress in Borrower Accounts
 
SMART overview_ESG risk
SMART overview_ESG riskSMART overview_ESG risk
SMART overview_ESG risk
 
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
 
ArrowMiner FAQs
ArrowMiner FAQsArrowMiner FAQs
ArrowMiner FAQs
 
Procedural Risk Management
Procedural Risk ManagementProcedural Risk Management
Procedural Risk Management
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSA
 
Overview Of Benchmatrix Products And Services
Overview Of Benchmatrix Products And ServicesOverview Of Benchmatrix Products And Services
Overview Of Benchmatrix Products And Services
 
How It All Ties Together Sun Idm Roadshow For Sun
How It All Ties Together Sun Idm Roadshow For SunHow It All Ties Together Sun Idm Roadshow For Sun
How It All Ties Together Sun Idm Roadshow For Sun
 

Viewers also liked

University Makerspaces Serving the Community 服务社区的高校创客空间
University Makerspaces Serving the Community 服务社区的高校创客空间University Makerspaces Serving the Community 服务社区的高校创客空间
University Makerspaces Serving the Community 服务社区的高校创客空间
Patrick "Tod" Colegrove
 
Makerspace and the Library: Active Learning, Innovation, and Design 主动学习、创新...
Makerspace and the Library: Active Learning, Innovation, and Design 主动学习、创新...Makerspace and the Library: Active Learning, Innovation, and Design 主动学习、创新...
Makerspace and the Library: Active Learning, Innovation, and Design 主动学习、创新...
Patrick "Tod" Colegrove
 
Maker Space & Entrepreneur Incubator
Maker Space & Entrepreneur IncubatorMaker Space & Entrepreneur Incubator
Maker Space & Entrepreneur Incubator
Patrick "Tod" Colegrove
 
Talento humano
Talento humanoTalento humano
Talento humano
mateo
 
The Art of the Possible: Makerspaces and Academic Libraries 可能性的艺术:创客空间和高校图书馆
The Art of the Possible: Makerspaces and Academic Libraries 可能性的艺术:创客空间和高校图书馆The Art of the Possible: Makerspaces and Academic Libraries 可能性的艺术:创客空间和高校图书馆
The Art of the Possible: Makerspaces and Academic Libraries 可能性的艺术:创客空间和高校图书馆
Patrick "Tod" Colegrove
 

Viewers also liked (13)

Ta2.11 zeitz.16 jan17_unwdf_gis_event
Ta2.11 zeitz.16 jan17_unwdf_gis_eventTa2.11 zeitz.16 jan17_unwdf_gis_event
Ta2.11 zeitz.16 jan17_unwdf_gis_event
 
University Makerspaces Serving the Community 服务社区的高校创客空间
University Makerspaces Serving the Community 服务社区的高校创客空间University Makerspaces Serving the Community 服务社区的高校创客空间
University Makerspaces Serving the Community 服务社区的高校创客空间
 
Edgar
EdgarEdgar
Edgar
 
Makerspace and the Library: Active Learning, Innovation, and Design 主动学习、创新...
Makerspace and the Library: Active Learning, Innovation, and Design 主动学习、创新...Makerspace and the Library: Active Learning, Innovation, and Design 主动学习、创新...
Makerspace and the Library: Active Learning, Innovation, and Design 主动学习、创新...
 
Cinthia t eoria
Cinthia t eoriaCinthia t eoria
Cinthia t eoria
 
Maker Space & Entrepreneur Incubator
Maker Space & Entrepreneur IncubatorMaker Space & Entrepreneur Incubator
Maker Space & Entrepreneur Incubator
 
2016年11月19日 AITCシニア技術者勉強会 第1回「Arduinoを使ってみる」
2016年11月19日 AITCシニア技術者勉強会 第1回「Arduinoを使ってみる」 2016年11月19日 AITCシニア技術者勉強会 第1回「Arduinoを使ってみる」
2016年11月19日 AITCシニア技術者勉強会 第1回「Arduinoを使ってみる」
 
2016年12月21日 AITCシニア技術者勉強会 第2回「センサに反応する総天然色イルミネーションを作ってみよう!」
2016年12月21日 AITCシニア技術者勉強会 第2回「センサに反応する総天然色イルミネーションを作ってみよう!」 2016年12月21日 AITCシニア技術者勉強会 第2回「センサに反応する総天然色イルミネーションを作ってみよう!」
2016年12月21日 AITCシニア技術者勉強会 第2回「センサに反応する総天然色イルミネーションを作ってみよう!」
 
Talento humano
Talento humanoTalento humano
Talento humano
 
Presentación1
Presentación1Presentación1
Presentación1
 
The Art of the Possible: Makerspaces and Academic Libraries 可能性的艺术:创客空间和高校图书馆
The Art of the Possible: Makerspaces and Academic Libraries 可能性的艺术:创客空间和高校图书馆The Art of the Possible: Makerspaces and Academic Libraries 可能性的艺术:创客空间和高校图书馆
The Art of the Possible: Makerspaces and Academic Libraries 可能性的艺术:创客空间和高校图书馆
 
Flora fauna y primeros hab americanos
Flora fauna y primeros hab americanosFlora fauna y primeros hab americanos
Flora fauna y primeros hab americanos
 
Reimagining the Library – a Design Thinking Framework
Reimagining the Library – a Design Thinking FrameworkReimagining the Library – a Design Thinking Framework
Reimagining the Library – a Design Thinking Framework
 

Similar to managed-services-buying-guide

EHS Software Buyer Checklist
EHS Software Buyer ChecklistEHS Software Buyer Checklist
EHS Software Buyer Checklist
Anita Amelia
 
Vendor Compliance Management software
Vendor Compliance Management softwareVendor Compliance Management software
Vendor Compliance Management software
jugnuRana2
 
10-things-you-ought-to-know-before-you-benchmark(1)
10-things-you-ought-to-know-before-you-benchmark(1)10-things-you-ought-to-know-before-you-benchmark(1)
10-things-you-ought-to-know-before-you-benchmark(1)
Marie Peters
 
Warranty Analytics- Sailotech
Warranty Analytics- Sailotech Warranty Analytics- Sailotech
Warranty Analytics- Sailotech
Sailotech Private Limited
 

Similar to managed-services-buying-guide (20)

Top Software panies to Outsource.pdfTesting Com
Top Software panies to Outsource.pdfTesting ComTop Software panies to Outsource.pdfTesting Com
Top Software panies to Outsource.pdfTesting Com
 
EHS Software Buyer Checklist
EHS Software Buyer ChecklistEHS Software Buyer Checklist
EHS Software Buyer Checklist
 
How to Choose the Right VAPT Services Provider in India
How to Choose the Right VAPT Services Provider in IndiaHow to Choose the Right VAPT Services Provider in India
How to Choose the Right VAPT Services Provider in India
 
How to Choose the Best Software Testing Services Company
How to Choose the Best Software Testing Services CompanyHow to Choose the Best Software Testing Services Company
How to Choose the Best Software Testing Services Company
 
Vendor Compliance Management software
Vendor Compliance Management softwareVendor Compliance Management software
Vendor Compliance Management software
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application Security
 
10-things-you-ought-to-know-before-you-benchmark(1)
10-things-you-ought-to-know-before-you-benchmark(1)10-things-you-ought-to-know-before-you-benchmark(1)
10-things-you-ought-to-know-before-you-benchmark(1)
 
Why Outsource Application Management?
Why Outsource Application Management?Why Outsource Application Management?
Why Outsource Application Management?
 
How to Evaluate a Managed Services Firm
How to Evaluate a Managed Services FirmHow to Evaluate a Managed Services Firm
How to Evaluate a Managed Services Firm
 
Vendor Management Buyers Guide
Vendor Management Buyers GuideVendor Management Buyers Guide
Vendor Management Buyers Guide
 
Software Management
Software ManagementSoftware Management
Software Management
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
 
Choosing the Right Cybersecurity Services: A Guide for Businesses
Choosing the Right Cybersecurity Services: A Guide for BusinessesChoosing the Right Cybersecurity Services: A Guide for Businesses
Choosing the Right Cybersecurity Services: A Guide for Businesses
 
Why to outsource qa services
Why to outsource qa servicesWhy to outsource qa services
Why to outsource qa services
 
Pharmacovigilance Smart Sourcing Strategy: Vendor Selection for Safety & Risk...
Pharmacovigilance Smart Sourcing Strategy: Vendor Selection for Safety & Risk...Pharmacovigilance Smart Sourcing Strategy: Vendor Selection for Safety & Risk...
Pharmacovigilance Smart Sourcing Strategy: Vendor Selection for Safety & Risk...
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
 
Warranty Analytics- Sailotech
Warranty Analytics- Sailotech Warranty Analytics- Sailotech
Warranty Analytics- Sailotech
 
EY Software Asset Management Advisory
EY Software Asset Management AdvisoryEY Software Asset Management Advisory
EY Software Asset Management Advisory
 
7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security Plan7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security Plan
 

managed-services-buying-guide

  • 1. Managed Services Buying Guide Managing security risk can feel like climbing a mountain. The terrain is rocky and the grade is uneven. Conditions can change suddenly, making it difficult to reach your goal. Even the most experienced climbers travel together to share the burden.
  • 2. © 2016 Cigital | www.cigital.com | a j c b 2 If you’re considering using managed services to address your cyber risk, you’re in good company. In the past year, 47% of companies used managed services for cyber security, up from 43% in 2014.2 It is more challenging than ever to keep your sensitive information and assets safe from cyber threats. There is a worldwide shortage of cyber security experts that reaches $1 billion in unfilled positions.1 Staffing an internal security team is expensive, particularly when you need experts that understand a range of potential threats and security strategies. It’s best to climb the mountain with a team to support you. Managed security services partners support a variety of cyber security tasks, including Identity and Access Management (IAM), Incident Response (IR), and Security Information and Event Management (SIM). These efforts are an important part of an overall security plan for companies that can’t afford capital expenditures to purchase tools or build out a Security Operations Center. That said, these types of managed services activities are typically passive. They involve monitoring and responding, not proactive work to lower the risk of a cyber attack. They also tend to ignore the one of the most important areas of security risk – applications. Why seek support from a managed service? Ninety-two percent of reported security vulnerabilities are lurking in applications, not in networks.3 Yet most companies do not have the deep skill set or the appropriate tools to address application security risk. What’s more, testing demands ebb and flow. When new threats come on the scene or business changes invite new risk, an internal team has only a fixed capacity to address vulnerabilities. Launches may be delayed if your team can’t keep up. On the other hand, if you staff up to meet short need, you may be overspending when demand decreases. A managed services partner who is a specialist in application security offers proactive security testing for web and mobile applications including static (SAST) and dynamic (DAST) assessments as well as manual business logic testing. In addition, a partner offers remediation guidance to fix software security bugs or flaws so you can prevent attacks before they happen.
  • 3. © 2016 Cigital | www.cigital.com | a j c b 3 Shifting from an in-house application security solution to a managed services model is a big decision. The assumptions you use to compare costs and benefits depend in great part on the partner you select. Use this Buying Guide to make sure the vendor you choose helps you reach the mountaintop – and realize the return you expect. It’s best to climb the mountain with a team to support you. Before you select a vendor, there are a host of questions to answer, requirements to define, and options to consider. Use the following as a framework for your discussions. 1 How do you test for vulnerabilities? Why it’s important to ask: Finding a managed services partner that has deep expertise in application security is key. A combination of tools and expert-driven manual analysis based on business context identifies and qualifies vulnerabilities in ways automated tests alone cannot. With this approach, results are true positives and remediation guidance is actionable. What to look for: A managed services partner that is a specialist in application security offers security testing for web and mobile applications including static (SAST) and dynamic (DAST) assessments as well as manual business logic testing for multi-step attacks. A managed services provider with broad responsibility for your application security shouldn’t just test individual apps. Rather, they should investigate your system architecture to flag vulnerabilities that occur when applications share information or rely on the same controls. Hybrid application and network testing is going to become more important for security, particularly as the Internet of Things (IoT) impacts how applications are accessed. Look for a managed services provider that also offers network-level assessment services. They should search for vulnerabilities in key areas such as router filtering, firewall filtering, visible network services, operating system software flaws, server application software flaws, known configuration errors, access management, and authentication controls. How to Choose the Right Partner for Your Security Journey
  • 4. © 2016 Cigital | www.cigital.com | a j c b 4 2 What is your pricing structure? Why it’s important to ask: Pricing for application security services should be transparent. Pricing against a standard set of requirements will help you make an apples-to-apples comparison of any managed services proposal you receive. The clearer the requirements are between you and a vendor, the more likely you are to receive the value you expect. What to look for: The amount you pay a managed services provider can depend on a variety of factors, such as: • Number of applications you expect to test • Mix of web and mobile applications • Number of applications that require in-depth, manual testing and business logic testing • Time period you want to conduct testing • Turnaround time you require to receive testing results • Type and quality of findings reports • Whether read-out calls with developers are included • Whether retests are included • How often business or product changes will impact application security, such as release schedules • Location that may impact compliance considerations or legal concerns impacting data storage • If you require services other than application testing and remediation, such as threat modeling or network penetration testing Once you have a common set of requirements, you can choose a partner based on expertise and approach. A partner that provides true positives and actionable advice may be more expensive than one who hands you a report of bugs and flaws with little guidance. However, with the right vendor your overall costs should decrease, as the time and effort for finding and fixing vulnerabilities will go down. With the right vendor your overall costs should decrease, as the time and effort for finding and fixing vulnerabilities will go down.
  • 5. © 2016 Cigital | www.cigital.com | a j c b 5 5 How do you address varying levels of criticality across an application portfolio? Why it’s important to ask: Not all applications require the same level of testing. If your partner tests all applications in the same way, you could be overspending. Time and budget could be better spent testing applications at an appropriate level. What to look for: Your partner should provide multiple levels of application security testing, from automated scanning that identifies common vulnerabilities to in-depth manual testing that focuses on business logic testing and exploiting application functionality. They should apply the appropriate level to each application. 6 Who will be on my account’s team? Why it’s important to ask? You rely on your managed services partner to stay up to date on the latest cyber threats and risk management strategies. The quality of service you receive is dependent on the expertise of the staff as well as their ability to apply that knowledge to your business and your applications. vendors may also offer packages that provide unlimited testing at any depth so that you don’t need to worry about costs increasing if your needs change. 4 How will you help us determine our priorities? Why it’s important to ask: Without prioritization, your team may spend countless hours trying to fix vulnerabilities that have little impact on your business, while ignoring others that introduce greater risk. What to look for: Findings from security assessments should have a standard severity rating scale and consistent read-outs so your team knows where to start remediation efforts. 3 How predictable will the budget be? Why it’s important to ask: Once you and your managed services partner agree on a price for services, you should be able to structure an agreement with a predictable price. You should not have to pay extra for customized reports and remediation of bugs and flaws or other hidden fees that catch you by surprise. What to look for: Your managed services provider should work with you to set up an agreement that incorporates diverse applications at varying levels of testing depth, covering multiple testing cycles. If you have unanticipated testing needs, you should be able to add a la carte services easily at a predetermined price. Some
  • 6. © 2016 Cigital | www.cigital.com | a j c b 6 What to look for: Your managed services partner should have engagement management and technical delivery staff with deep technical expertise, covering a breadth of technologies and business domains. They should take the time to build a relationship with your team in order to transfer knowledge most effectively. Your partner should offer an option to set up a credentialed pool of staff who will be the only staff accessing your data. 7 What types of assessment tools do you use? Why it’s important to ask: Some vendors use only tools they sell, or apply a simplistic approach to tool-based scans. The truth is, applications cannot be covered by one tool, whether they are related to banking, point- of-sale systems, or other business functions. Even for a single application, different tools may catch different vulnerabilities. Eliminating false positives requires tuning tools to your situation and comparing results of different tools against each other. What to look for: Look for a managed services provider to employ a combination of commercial, internally developed, and open-source tools so that they can serve the most appropriate testing techniques for the application under test. They should be able to customize rule sets to get the most out of a tool for your situation. Don’t let a managed services partner lock you into using a tool that they sell. If you have a tool you prefer, make sure they can use that as well. 8 What is your process to schedule or change requests for tests? Why it’s important to ask: You shouldn’t have to give up visibility or control over application security testing just because you are using a third party to help with execution. What to look for: Managed service providers should make it easy for you to control the assessment schedule and see status of tests requested or in progress. Commonly a managed services provider will offer a web-based portal for you to access and make changes at any time. Ask for a demonstration so you can test it out before making a decision. 9 How quickly will you provide results? Why it’s important to ask: You should expect a reliable, consistent time frame so that you can plan ahead and development does not slow.
  • 7. © 2016 Cigital | www.cigital.com | a j c b 7 What to look for: The answer will likely depend on the test depth required but you should expect results within three to five business days after test completion. The key is that your managed service provider should integrate the testing process with your development flow, regardless of your development methodology. For production tests, your provider should notify you immediately after qualifying the findings. 10 What deliverables are included with the results? Why it’s important to ask: Clarify with any potential partner that results for your tests will not simply offer a list of issues and generalized advice. Results will be much more valuable and save time in the long run if they help developers understand reported issues and more importantly, how to fix them. What to look for: Ask any potential provider for sample assessment reports. Reports should point out specific areas of risk and include detailed and relevant remediation guidance that goes beyond a list of findings. They should include analysis of aggregate issues to identify trends and systemic problems. To be most effective, results should include an active discussion between assessors and developers in the form of read-out calls. On an ongoing basis, your partner should provide on-demand remediation support. A proactive managed services provider will also deliver reports so that you can compare performance of different business units and demonstrate improvement over time. 11 How will your remote team access our confidential information? Why it’s important to ask: Your customers and employees put their faith in you to keep their information secure. Any partner you choose must take confidentially and data privacy as seriously as you do. What to look for: They should be able to provide options for accessing applications, whether that is via the cloud, or with a pool of staff provisioned with your laptop and VPN credentials for remote access.
  • 8. © 2016 Cigital | www.cigital.com | a j c b 8 1.“Information Security Jobs Unfilled as Labor Pains Grow,” Search Security, April 2015 2. Comptia 4th Annual Trends in Managed Services 3. NIST 12 What solutions do you provide that will help us reach our goals in the future? Why it’s important to ask: Not all managed services providers offer solutions to help your developers become more proficient at building security into their process. The more effectively you can help developers build secure software, the less time and money it will take to fix issues. What to look for: Your managed services partner should offer many options for remediation advice, from read- out calls to an on-demand help desk. They may also have additional consulting or training services to help you grow your software security initiative. Don’t Make the Decision Alone Remember that the team braving the security mountain includes multiple climbing parties, including different functions and business units inside your organization. As you gather resources to support the climb, an important part of the buying process is sharing a vision of success and gaining acceptance from your security staff, the development team, and executive leadership. Include stakeholders from different departments in the vendor selection process to make sure they are comfortable that you have addressed their needs. The more involved they are in early stages, the better prepared they will be to work together with a new partner. To ensure you’ll get the budget and executive support you’ll need, make sure you can demonstrate to company leadership that you’ll get the most return on your investment with the vendor you choose. As a result, you’ll pave the way for a successful transition that reduces risk and elevates security in the culture of your organization. You’ll be well on your way to the security mountaintop.
  • 9. © 2016 Cigital | www.cigital.com | a j c b 9 Next Steps Once you’ve decided to move forward with a managed services partner, you’ll need to gain the support of your leadership team. Demonstrate return on investment for managed services and have a successful conversation with your Board of Directors about your application security needs. SEE HOW
  • 10. © 2016 Cigital | www.cigital.com | a j c b 10 Cigital is one of the world’s largest application security firms. We go beyond traditional testing services to help organizations identify, remediate, and prevent vulnerabilities in the applications that power their business. Our holistic approach to application security offers a balance of managed services, professional services, and products tailored to fit your specific needs. We don’t stop when the test is over. Our experts also provide remediation guidance, program design services, and training that empower you to build and maintain secure applications. For more information visit us at https://www.cigital.com THE CIGITAL DIFFERENCE