4 June 2020 – Managed services have emerged as the preferred way to address application security concerns and lighten the burden for internal teams. A managed services provider gives you greater elastic application security testing capacity. When your AppSec testing load is light, you can take on testing yourself. But when you need more resources, you engage your provider and pay only for the services you need when you need them.
Managed application security testing allows you to skip the overhead costs that come with hiring, retaining, and equipping an internal team, only to have them sit idle during less intense testing periods. Plus, a highly skilled and efficient managed services team frees up your employees to focus on other core business activities. In fact, a 2019 survey by Continuum found that 77% of small businesses expected to outsource at least half of their cyber security needs within the next five years.
But deciding to use managed services is only the start. It’s also critical to find the right managed services provider. Here are a few things to consider when searching for the best provider to meet your business needs.
6 mistakes to avoid when choosing a managed services provider
- Ceding control: Even if you outsource all day-to-day application security work to a managed services provider, you’re still in charge of your software security strategy. Choose a provider who gives you complete control over test timing and depth.
- Limiting visibility: Make sure you have full visibility into testing activities and results, and ongoing communication with your provider. Providers who value visibility have cloud-based portals that you can access at any time for an aggregate view of test results.
- Underestimating growth: Look for a service provider that lets you increase the number of applications to test, and the depth of testing, without breaking the bank.
- Choosing a managed services provider that loves their tool: Some service providers might limit you to using their own testing tools. If you prefer a specific tool, make sure your managed services provider can incorporate it into your testing plan. To get the best results, use multiple tools.
- Relying exclusively on automated testing: Automated tests can result in a large number of false positives. Manual testing is necessary to identify multi-step penetration scenarios and identify the most critical vulnerabilities. Make sure your provider includes human analysis to help prioritize results.
- Choosing a provider that leaves all the fixes to you: The right managed services provider will help you interpret the results and extend remediation support specific to your technical risk and business objectives. Expect your testing provider to hold read-out calls with your developers and offer ongoing support to address security issues.
