What Does Application Security “as a Service” Really Mean?
It is fairly straightforward, yet its meaning and value can vary. Formally defined, as a Service refers to a subscription-based delivery model designed to give customers maximum flexibility with little to no overhead. The same concept applies in cyber security, where we often see vendors managing a particular piece of technology for a customer that can also include services.
The as a Service delivery model has seen a tremendous evolution over the years and now takes many forms, from the foundational Software as a Service (SaaS) to the emerging Penetration Testing as a Service (PTaaS) – and there’s even a term for Anything as a Service (XaaS). The adoption of the delivery model continues to expand. Analysts expect the market to grow 24% by 2024 and Gartner anticipated that all new software providers and the majority of existing vendors would offer subscription-based business models by the end of 2020.
NetSPI recently launched Application Security (AppSec) as a Service to help organizations manage and mature their application security programs. To navigate the evolving landscape and better understand its value, this blog explores what it really means to deliver something as a Service and why an as a Service partnership for application security is valuable.
Four core attributes of an ‘as a Service’ partnership
It’s important to note that by purchasing something as a Service, it does not necessarily mean that you are outsourcing that product or service to a third party. The terms are often used interchangeably; however, they differ greatly. Recognizing the differences between outsourcing and entering an as a Service partnership is key to understanding the true value of the delivery model.
There are four key components that define an as a Service offering and contribute to the success of the program. The core attributes of an as a Service partnership are as follows:
- Collaboration: A successful partnership enables collaboration and information sharing between vendor and client on a much deeper level. Because the vendor should serve as an extension of a client’s team, they receive internal context that allows them to provide the needed technical depth, while also driving efficiency through technology innovation.
- Scalability: The ability to scale up or down to meet capacity and performance requirements is core to an as a Service partnership. It is essential for your vendor partner to work with you to forecast capacity needs and allocate necessary resources. Vendors should not only have the capability to scale up during a time of need, but also to redirect capacity to other areas at times where demand is less significant.
- Automation: Process automation helps free up your team members’ and vendor partners’ time to focus on more strategic initiatives. Any as a Service offering should incorporate some level of automation. For example, with NetSPI’s AppSec as a Service, automation and tools are deployed to support manual testers in finding application vulnerabilities that tools alone cannot.
- Continuity: Relationships such as an as a Service partnership need to be continuous to be most effective. Having continuity in your vendor partnership allows for greater understanding of business processes, the threats an organization is most likely to face, and techniques for preventing cyber-attacks. A long-standing relationship also supports trending data collection to track progress over time.
The value of Application Security as a Service
When I talk about an “as a Service partnership”, I mean that NetSPI, a partner, is working inside of a client’s program as an extension of their team.
With an AppSec as a Service partnership, clients gain dedicated technology and leadership that supports a scalable team of application security testers. It is a modular and scalable approach to application security comprised of multiple components that may be deployed as a complete program or individually, integrating with existing processes and technologies. We invest significant time, resources, and budget into onboarding our experienced consulting team into the client environment where there are specific nuances and requirements. Oversight and crosschecks are done to ensure expectations are met, to identify areas within the parameters of the project that may require more attention, and to report back to the client-side leadership with findings we uncover.
Throughout the partnership, there are touchpoints at the executive, technical, and project levels. At the executive level, we look at the metrics, communications, and structures in place to align to the program thematically. At the technical level, there is collaboration around process, technology toolsets, and ways to automate in a high-volume environment. And at the project level, we evaluate our resource planning, communications, and alignment with the client-side team.
There are many ways an organization can benefit from an as a Service partnership for its application security program. Here are a few to note:
- Add context to an environment. AppSec as a Service enables organizations to gain context inside of their applications by deepening their insight through technical testing and collaboration. The delivery model helps both client- and vendor-side teams better understand the attack surface to target its weaknesses.
- Reduce time managing expectations. Create more meaningful touchpoints inside of an organization and build trust by not having to manage multiple vendors, doing different things, through different processes. Having one single source of truth for all application security activities, one that is integrated into your program nevertheless, eliminates chaos around remediation.
- Support during staffing shortages. My colleague, Florindo Gallicchio said it best in his 2021 predictions. He wrote, “Cyber security leaders will be challenged by filling roles that require candidates with mid- to senior- level experience – and entry level job openings will continue to be in high demand. Because of this, companies will need to do more with fewer people. This will result in increased adoption of program-level partnerships with third parties or using vendors to fill in-house positions at scale.”
- Identify the right metrics. Goal alignment is clear-cut with AppSec as a Service given the vendor is aware of the day-to-day application security activities, has a direct line of sight into the goals and objectives of the program, and understands a business’s most valuable – and vulnerable – assets. Given this enhanced insight and context, your partner can help identify which metrics to track to communicate program progress and Return on Investment (ROI) to leadership team.
Whether it is application security, penetration testing, software, infrastructure, or anything, an as a Service delivery model can provide immense value to any organization. As these offerings continue to evolve and more vendors jump on the as a Service bandwagon, use the above criteria to evaluate potential providers to ensure you’re getting the most out of your relationship.