While web application security testing has achieved a relatively stable cost and risk model, most organizations still struggle with mobile appsec testing. Mobile is fundamentally different, making it traditionally more difficult and expensive to test.
Many organizations struggle with mobile appsec testing due to a lack of resources, technology challenges, insufficient skills and a lack of understanding about the costs and economics of various testing options. At the same time, they face ever-increasing levels of risk, particularly in industries commonly targeted by hackers.
In the end, security leaders can feel trapped between the need to manage risk and the available budget. What they don’t realize is organizations can deploy automated tools that deliver continuous security testing every day for less than half the cost of an outsourced pen test. Let’s examine four common cost models and consider how to deliver maximum efficiency for minimal cost and risk.
The following chart depicts the stark choices and compelling opportunities for organizations to evaluate.
Whether attributed to an obsession with web apps or the technical challenges of mobile appsec testing, a surprising number of organizations do not perform any formal mobile app security testing. They may invest in testing the web app and assume mobile performs similarly. Or perhaps they lack the tools or requisite expertise.
While this offers the cheapest option at zero dollar cost, they could lose a fortune should a breach occur: damaged reputation, plummeting share price, loss of customer confidence, and hefty remediation costs.All told, the average data breach cost organizationes $3.86 million or $148 per record in 2018, according to the Ponemon Institute’s “2018 Cost of a Data Breach Institute: Global Overview.” Frankly, it’s just not worth the risk.
Recognizing the need to test mobile app security, an organization may opt to hire a pen tester. This typically entails spending spending several months to recruit a pen tester who cobbles together a kit of open-source tools, scripts and time-consuming push-button testing. A manual pen test typically takes about one to two weeks to complete and costs roughly $5,000 in labor and tools.
If an organization builds and releases daily and conducts a manual pen test once per month, that would cost about $60,000 per year. Realistically no one can afford this. And while this helps contain the risk, it’s cost prohibitive and and still leaves gaps in coverage between daily builds and monthly testing.
Recognizing lack of time, resources and expertise, organizations often outsource mobile app penetration testing. NowSecure and other third-party experts offer such services. But at a cost of $15,000 – $25,000 per test and a two- to four-week turnaround, most organizations can only afford to do this once per year.
And with new mobile app releases occurring weekly or even daily, the risks mount after a pen test is completed until it’s conducted again a year later. While better than the high cost model, this gap in coverage between the annual pen tests creates substantial risk. Increasing the frequency of penetration testing to quarterly would drive the cost up to $60,000 per year, an unattractive proposition given that you could conduct monthly in-house pen tests for the same annual investment.
Like so many other processes in organization, organizations can turn to automation. An automated toolchain powers the shift from agile to DevOps to drive maximum efficiency and faster release cycles. While DevOps touches developers, quality assurance, operations and production teams, security was mainly left behind.
But now mobile app DevOps and security teams can take advantage of a new innovation for mobile appsec testing in the dev toolchain, NowSecure AUTO. NowSecure AUTO plugs into the CI platform to automatically test mobile app security every build every day — even multiple times per day.
The testing tool completes tests in less than 15 minutes, automatically feeds tickets back to developers, and provides machine-driven accuracy, repeatability and depth of testing to squeeze out risk. For less than the cost of a pizza and 12 pack of beer every day, an organization can fully automate mobile appsec testing for every build (once or more per day) for the best economics and lowest risk.
The mobile app security risks are real, but the economics are real too — exacerbated by the complexity of testing mobile apps on mobile devices. With the advent of DevSecOps, the cost and risk profile for mobile app development has changed, and automated tooling like NowSecure AUTO has stepped up to fill the gaps.
There is a tremendous financial and risk-mitigating advantage to using modern technology and best practices. Simply put, for less than half the cost of just one annual outsourced pen test, an organization can deploy NowSecure for automated mobile app security testing in the dev toolchain for the lowest cost and risk. The economic choice is a no-brainer.
Schedule a demo to see how NowSecure AUTO can bring affordable mobile appsec testing to your security and DevOps teams.