As a profession, application security is ever-changing. Even if two applications operate in the same market domain, running on comparable business use cases, their structure and functions will vary significantly. Some (of the many) variables that influence this variation include programming language and style chosen by developers, product engineering team culture, company priority, and platforms utilized among other things. So, for application security to be effective, it can’t rely on a one-size-fits-all approach.
To ensure that all applications are secure, regardless of their individual complexities, organizations must employ dedicated application security teams. These teams must have the knowledge and experience to identify potential threats and vulnerabilities in the software being created. They must also be able to develop the necessary security controls and countermeasures to protect the application.
Application security is a critical piece of any organization’s overall information security posture and should not be taken lightly.
By understanding the unique variables that influence each application, and by instituting an effective application security program, your organization can better protect its data and reduce the risk of a security breach.
Take, for example, penetration testing. This is a practice area that appears to be well established in the application security market. However, even a single demand such as this might make or break an early conversation in today’s environment.For one prospective client, the need may be to complete the test solely from a compliance standpoint, while another prospect’s requirement might be for proactive software security. There are many more who have on-site assessment teams and frequently seek the counsel of a third party. Others who are further along the maturity curve may be seeking to improve their game by combining tool automation with a supplementary form of manual assessment. I’m not even thinking about how difficult it would be to keep track of all the service’s names—is it called penetration testing, security testing, vulnerability testing, VAPT (which is actually a combination of two different types of testing)?
This is just one small example that points out how difficult it can be to take a one-size-fits-all approach to application security. Even if an organization has a dedicated application security team in place, that team must continually adapt and evolve its approach as the threats and vulnerabilities change. By taking a tailored approach to application security, your organization can better protect its data and reduce the risk of a security breach.
These varied demands are the end result of buyer personas that emerge from a variety of levels of informed decision-making. To adapt their positioning, TSPs would need to do so.They might bore an experienced buyer or overwhelm a novice practitioner, especially in high-variance products such as security tooling, security regression and threat modeling. While it is true that losing an overwhelmed prospect could be due to effective client segmentation, there are other factors at play here.
Scoping inquiries, such as the ones listed below, may significantly assist technology marketers in striking the right note with their prospects and elevating the first encounter’s experience.
- What is the motivation for the penetration test? Is it compliance regulation, internal validation, business drivers, their customers’ needs, etc.?
- What are they specifically looking from a third-party partner? Is it external certification, a specialized approach, uncovering logic flaws, etc.?
- What is the current appetite (measured in resource bandwidth, commerce) to take on your advanced offering? (Such as automation, regression etc.?)
- How security aware are the developers? Can they take the findings to their logical conclusion through successful remediation?
