4. 4
8.4bn The number of records
exposed in Q1 2020
273% increase from 2019
Mostly from the web
The Covid-19 ripple effect
5. Launch now, test later?
• Web application is the #1
attack vector for data breach
• 44% of organizations don't test
the security of their web
apps before launch
• Knowing your security posture
is more important than ever
5
6. 6
Cyber hygiene is your best defense
• Yes. The benefits gained are very valuable
• Find the backdoors – or things your automated
tools miss
• Risk prioritisation
• Improve detection and alerting (OWASP top 10
2017 A10)
• Validate your controls
• Comply with local, national and international
regulations
• It helps fill in the blanks from your automated
scanning
8. 8
This is what you think you pay for
A 10 day total Penetration test at an agreed ‘Day rate’ ($750-$1,000+)
Test Application (10 Days / $7,500)
$$
9. But what about these costs
9
Appoint company, negotiate
contract (5 days / $2,500)Tender (2 days / $1000)
Scope, agree start date
(2 Days/ $1,000)
Your 10 day test is really 15 – 20 days
Upfront cost + Test Application (10 + 9 = 19 Days / $12,000)
+ $4,500
$$$$
+ 9 days
The day rate of your in house staff ($500)
10. Wait, there’s even more costs
10
Review the report
(3 days / $1,500)
Create remediation
issues ( 2 days /
$1,000)
A 10 day test, is likely 8 days testing, with 1 day report writing and 1 day hand over
and maybe some delays thrown in during testing
Remediate – (10+ day
/$5,000)
Upfront cost + Test Application (19 – 2 = 17 Days / but the
cost is still $12,000)
$$$$$$ Adding another 15+ days and $7,500 =
potentially $19,500!!
11. 11
$$
$$$$
$$$$$$
• Go to tender
• Find your supplier
• Scope out the app
• Negotiate the contract
• Review the findings
• Add them to your issue
tracking / backlog
• Remediate
The real cost of that $750/day test
13. 13
• Delays happen when you are not
ready for the testers
• Testing can impact production,
leading to a rescope and loss of time
• Wait for the report to be written
• Your ‘10 day test’ probably results in
5 days of manual testing effort
You don’t get what you pay
for
14. 14
It costs you more money and delivery less value
• You think of the ‘test’ as a number of ‘Man days’. It’s a false
economy. You miss all the other costs before and after the test
• Your test is likely 50% automation with some review of findings,
a day for the reports and a day for the hand over
• You cannot work on remediation until the test finishes (delays)
and you have been given the report
• Likely you will be juggling false positives, subjective findings and
have no real way to query or clarify the issues
• You cannot easily verify that your development teams have
fixed the issues reported
And yet you still do it
16. 16
• Next Gen Appsec program
• Annual contracts
• Pool of testing, requested on demand
• Zero false positives
• Findings posted to UI available for
remediation during testing
• Direct access to the analysts
• Ability to request verification of remediation
activities
• Customers save time & money whilst being able to request
testing that suits their timelines and SDLC processes
Next Gen Appsec program
17. 17
• 365 monitoring
• Daily assessments
• Regular manual assessment
• Findings presented as soon as
they are assessed
Continuous assessment for
Critical Applications
18. 18
• Like major streaming TV
stations : you tell us when you
want to consume a license
• Fixed fee – know upfront the
cost
• Up to thirty days of manual
testing and remediation advice
• No false positives
On demand for everything
else
19. 19
Old vs New
Build
application
security
resilience
Old : hidden costs per test
New: fixed upfront cost
Old: You test when you can, and
pause your Dev.
New: Test continuously, or on
demand, as part of the Dev process
Old: you remediate long after the
test has finished
New: you remediate whilst the test
is still ongoing
$$
20. #StandByYou during Covid-19
Talk to us to find out how
to take advantage of our
security testing offers to
maintain your cyber
hygiene
https://marketing.outpost2
4.com/mkg/standbyyou-
during-covid-19
20