Anti-FAQ's
You have heard of frequently asked questions, but what about common objections? Below we have answered some of our most common protests, to provide more information during your decision process.
“My application is already secure because ...
“... I use AWS and our tech stack is modern.”
Although AWS is a great tool, it still has vulnerabilities and weak spots. There are a variety of ways that cyber criminals can hack into your application, regardless of AWS or a modern tech stack. Take the
Log4J2 vulnerability, for example. Apache rated this vulnerability as a Critical with a CVSS score of 10 (out of 10), which indicates imminent impact and affected applications built with AWS. Even though your application may seem secure, proactiveness and regular penetration tests can ensure your application is well protected.
“... my developers are senior-level and have worked on lots of products before.”We believe you, and we are not doubting your developers. Programmers certainly have a lot on their plates and while security has been a burning issue in recent times, it hasn't been a top priority for developers. A survey of more than
200 developers conducted a few years ago identified half a dozen priorities of developers. In order of importance, they were functions and features as specified or envisioned, performance, usability, uptime, maintainability and, at the bottom of the list, security. Even though the developers have worked on lots of products before, without the proper and up to date knowledge of secure coding best practices, it is hard to ensure a secure application. Software Secured offers secure coding courses, based on OWASP Top 10 Risks,
click here to learn more.
“... we don’t store any PII in the app itself.”PII aside, there is other damaging information that hackers can access and exploit. PII is just the tip of the iceberg, there are various routes to exploiting vulnerabilities. Hackers can source digital authentication credentials, include API keys, security certificates, database credentials, and anything else that provides access to systems and services. The
rise of island hopping attacks highlight the urgency for security even if there is no PII being stored. Hackers using island hopping attack methods pose a risk for third-party vendors, as they risk the hackers leveraging integrations that store PII.
“I’m usually doing an annual penetration test, which is enough for my compliance requirements. I don’t think I need to do it more frequently”
You are right. That is enough for compliance. But, is that enough for your customers and your application’s well-being?
Penetration testing as a service (PTaaS) goes deeper than the compliance requirements. PTaaS gives you the ability to test at the speed of DevOps, get quicker feedback to your developers, and reduce the costs of fixing vulnerabilities by finding and patching them right away. You may only need a penetration test once a year, but the longer a vulnerability sits in your application, the more you are at risk for a data breach, or a costly fix.
“My current penetration tester is good, so I don’t need to change.”
When you don’t know what other vendors offer, it’s hard to measure if you’re working with the right vendor for your application. In today’s cyber security landscape, it is becoming increasingly popular to use multiple vendors, for the most accurate and in depth coverage. There are vendors that do penetration testing, but very few have the same unique offerings as Software Secured. Software Secured not only tests your application, we get to know it on a deep level over time. We prioritize becoming familiar with your products across our full team so that you save time on onboarding pentesters or re-explaining what it is that your application does. You will receive white glove support from start to finish, along with detailed reporting and recommendation for remediation.
It’s okay to be comfortable with your current pentest vendor. But, can we ask you a few questions?
1. Does your current penetration tester live in traditional methods of penetration testing, such as delivering reports over email or slack channels? Or, would you prefer to work with a pentesting company that offers a centralized pentest management platform to organize multiple projects in one place?
2. Does your current penetration tester live in a gig economy, so you cannot work with the same team/same penetration testers for each project? Or would you prefer a company that allows you to work with the same team members over your projects?
3. Does your penetration tester offer above and beyond support, through each step of the penetration testing process?
“It sounds like the portal increases the time that my developers spend on tracking and reporting issues?”
The Portal is designed for project leads to have a central organization point for multiple projects, to ease operations and focus on SLA’s. Through traditional methods, penetration testing reporting is delivered via emails or slack channels, which can get lost, or be put in the hands of the wrong person.
Through Portal, you can now manage and track admins, view your security posture, identify the severity of your unresolved issues with a quick glance, quickly download your most recent reports & certificates, and more. See the demo of Portal
here.
“My CEO/CFO is not sure why we should spend money on a penetration test.”
Good question. There are a few reasons why penetration tests add value to your business beyond compliance and security. At its core, penetration testing is a business decision, not just a security decision. Cyber crime cost businesses in the United States more than
$3.5 billion in internet-related cyber crimes and damages according to a 2019 Federal Bureau of Investigation (FBI) report. More than ever, security is a critical facet of company success— and survival. The average vulnerability and breach pose a huge problem for C-level teams seeking to differentiate their products and services from today’s competition. If you are a B2B company, penetration test is something you can’t avoid to afford. Penetration testing, and secure applications is the biggest piece of evidence to your clients that you take their security seriously. Secure data via penetration testing provides a combination of satisfied customers, less costs, higher availability, data protection and zero reputation hits due to lack of security. If a vulnerability or exposure is detected in your application, in many geographical locations, you must disclose these vulnerabilities, which can have substantial impact on your businesses reputation and customer satisfaction. Integrating security practices is a healthy step to growing your business in the right direction.
See here for more information on why security matters.
“I think this would be good for my business but I don’t think it is something I can afford right now.”
Totally understandable. There are a variety of factors that go into price. You may be early in your organization's development or your security budget is smaller due to uncertain economic conditions. Software Secured offers a variety of services, at a myriad of prices. Just because your security budget is not at enterprise levels, doesn’t mean you can’t have enterprise security. Contact us below to chat with our team to find a solution that fits your business. Security can be practiced in your organization in a variety of ways, and it doesn't always have to be expensive. If penetration testing isn't something you can afford in your security budget now, you should still consider practicing other easily integratabtle security practices. By integrating these practices, it's easier to earn compliance and grow your app in the future. Want to see how? Download the CTO playbook
here.
“I can get a cheaper penetration test elsewhere.”
This is true. There are a variety of penetration testing companies that offer penetration testing cheaper than Software Secured. The problem is, many pentesting providers on the market offer automated, mimic open-source scanners, and don’t often take the extra steps to really understand your application. Software Secured’s main priority is quality in security. Our team of experienced ethical hackers dedicate a copious amount of time to understanding your application logic through threat modeling, performing reconnaissance, manually testing deep layers of your application, and reporting detailed findings (with steps to duplicate & remediate so that you’re sure there’s no false positives). If price is your main focus, we might not be for your organization. If you are focused on quality and customer support through the pentest & post-test processes – we are the company for you.
"I want to take care of the low-hanging fruit before getting a penetration test."
There should be no need to pre-patch vulnerabilities for a pentest to appear more secure on your pentest. The point of a pentest is to mimic a real-life attack on your system based on the actual security procedures and systems that you practice day-to-day.