If you've reviewed Veracode's case study, you know it revolves around a large financial services firm that approached Veracode for help with an upcoming PCI audit. Though the firm initially requested assistance with this specific security need, it became clear that true compliance in any field requires far more than a single engagement. As IT security best practices dictate, security must be more of a mind-set than something you take interest in when necessary.
In light of the firm's success with Veracode, check out these four core takeaways, which teach all businesses using mobile apps the benefits of continual (versus scheduled) security testing. Continual testing is a far more valuable, reliable practice; without it, you may expose your firm to huge, costly problems down the line.
This first point is especially crucial for companies under regulatory bodies. Since you don't always (or even often) get to review the source code your third parties produce, verifying their work is up to snuff isn't always easy — and manually testing every build for compliance with internal and external standards just isn't feasible.
That's why you should test everything your vendors send you before any product is complete. While you may set exact intervals at your discretion, this is something cloud-based application security platforms can do for you. They compare the software third parties provide to the policies and procedures to which your firm expects all software to adhere. This, combined with various remediation techniques, ensures future deployments meet your standards. Compared to checking on a set schedule, issues are found (and underlying development issues are remediated) faster, more efficiently and more cost effectively — benefits that improve the health of a whole organization.
How would you rather receive feedback on a long project: all at once, or in smaller bites as you go? For those of us who don't like to see months' worth of work shoved on our respective plates all at once, the answer is clear — especially if you're concerned about fixing similar errors that may show up in the future.
Going back to the case study, that's exactly what the financial services firm was able to do, and most of the process was automated to boot. Any errors or teaching opportunities the firm found were directly related to PCI compliance, not a general set of IT security best practices. (Good third-party security solutions do that, too, but in this case, these were things that auditors needed to see). Remediating in smaller chunks helped over one hundred of the financial services firm's developers learn about specific events and retain the concepts for future projects.
In the end, everything comes down to the two currencies businesses truly have to spend: time and money. Catching errors and vulnerabilities early in live apps helps prevent possible security breaches down the line. Catching them prior to deployment prevents all that, plus the sunk cost of extra work that needs to be scrapped and recreated when a bug is found.
Business bonuses aside, however, a more secure product is good by its own merits. Security flaws are awful for the people affected by them. You wouldn't want to be on the receiving end of identity theft, or even know that someone might have access to your accounts or other personal info. Combined with the (admittedly crucial) financial benefits, continual software testing just makes sense.
If you've worked in development for a long time, you likely realize that the way companies use and deliver software is a much different than it was before. Our development practices need to evolve, too — and the current test-as-needed security attitude is one of the first things that should go. Fixing errors early is safer and more cost efficient; that makes continual testing one of the best IT security practices any organization can move to.
If you have concerns about your company's current security practices, find a trusted, third-party security provider who can address them with you. Whether you have questions about first-party training, issues with third-party vendors or anything else in the security sphere, these experts make sure the products you build are in line with your standards as you build them.
As far as IT security best practices go, continually testing a product is a great way to keep secure before, during and after a product's deployment. Once you see that in action, you'll understand just how valuable it is.
Photo Source: Flickr