Return on Investment – ROI. Sales departments have to show it, marketing departments have to show it, and of course, security departments do too. At the end of the day we all need to show where the dollars are going, and security teams have the additional burden of correlating those dollars spent with the elimination of risk – or the perceived elimination of risk.
Security vendors use that burden to their advantage – promising ROI in the form of risk elimination; “At that given time.’ Up until this point, our fellow security professionals have been satisfied with that perceived security. Plug in a WAF; see “X” blocked bad requests. Run a penetration test; get “X” results. That return is tangible and helps our colleagues sleep better at night. Therein lies the problem. It’s a static, perceived, point-in-time return on a fixed, one time (or semi-recurring) investment. But just as a new car loses it’s value once driven off the lot, the value of that return decays the moment you push new code, release a new version, issue a fix, or otherwise expand or alter your threat landscape.
We know we don’t need to tell you about the modern, agile, perimeter-less world we’re frightfully doing business in, and yet the solutions we bring in to defend against modern attacks haven’t caught up. At the same time, modern security professionals don’t have the time or resources to constantly reinforce and reinstate those solutions. And even if we did, would it do any good?
Enter modern security solutions that deliver continuous return while building additional tangential and relevant value. To join forces with agile development teams and defend against attackers in a constantly evolving and growing threat landscape, companies big and small are adopting solutions like bug bounty programs and Next Generation WAFs.
Next Generation Web Application Firewall
The value of a Next Generation Web Application Firewall (NGWAF) is very different than a traditional WAF– it’s value hinges on attack visibility. When traditional WAFs first came to market their was an incredible focus on blocking all known bad requests. The problem is that unlike traditional firewalls, that analyze more predictable network protocols, WAFs were detecting requests in your web application that have a changing footprint in day to day usage. This made measurements of ROI an impossible task. The problem with ROI in a WAF world is that without visibility into attack data and results, we can not effectively prove that we are gaining any security value.
Modern Applications Require Even MORE Attack Visibility
Fast forward to today, where time between deployments is measured in minutes rather than months, and a modern application stack is composed of microservices, APIs, and web interfaces. In this environment an NGWAF has to answer three primary questions:
- What are the attacks attempting to do to my app?
- Where are the attacks occurring within my app?
- Are the attacks successful?
Adding instrumentation and visibility to answer these questions is a primary differentiator of an NGWAF. Once you can answer the REAL attack questions you can positively announce a REAL ROI. If you don’t have enough visibility in your application stacks to answer these three fundamental questions then consider adding instrumentation via an NGWAF. When NGWAF instrumentation is in place, it actually enables you to deploy faster, safer, and with a positive ROI. Remember, “If you can’t measure it, you can’t determine your level of success.”
Bug Bounties
If you know anything about bug bounties, you know they consistently deliver truly valuable results (when done well), but require constant investment of time and resources, as well as ongoing commitment.
You pay for results, and you pay as it happens. Unlike traditional penetration tests in which testers are compensated for their time and effort, bug bounty programs reward researchers strictly based on real valid and actionable bugs. What sets bug bounties apart from traditional application security testing doesn’t stop at the pay-for-results and phenomenal ROI.
Continuous value, continuous confidence
By nature, bug bounties welcome hackers from around the world, with differing skill sets, levels of expertise and perspectives, to deliver continuous security testing on your terms. Because of the volume of the various backgrounds and locations, crowdsourcing allows researchers to test apps at all times. As in any marketplace, researchers test when the odds of finding results are greater, which is why, when programs first kick off, the untouched targets are very popular. Then, after that initial activity, when programs are updated, targets are added, or new versions are released, researchers come back.
Unlike traditional point-in-time solutions, bug bounties provide testing on an ongoing basis, with increased value when it’s most needed. Also unlike traditional methods, investment follows the same guidelines. What is more, the return associated with crowdsourced security programs produces return more than just results – in the form of confidence. With such depth and breadth of testing, you can be sure that even if the results aren’t pouring in, the best hackers gave it their all, and came up empty handed. If that’s not confidence in the perceived elimination of risk (and a good night’s sleep) I don’t know what is…
Intangible value: Reputation, Relationships & Internal Education
As previously mentioned, each researcher brings a different perspective to the table, resulting in a diverse testing knowledge base when multiplied by the thousands of researchers in the crowd. What’s more, however, is the intangible value in the group as a whole. The value in creating lasting impressions, goodwill and positive communication with this very influential group of people is intangible but incredibly powerful. No pen test or scanner will ever be able to make that claim.
Additionally, bug bounty programs offer an opportunity to create a more realistic feedback loop in which all parties are personally invested. The back and forth communication and clarification that ensues, provide a great tool for internal education around secure coding practices, integrating with your SDLC, and prioritizing fixes appropriately. Those activities will only further boost your reputation within the hacker community, and provide your team with the visibility and intel to build more secure products.
One + One = Three; Bug Bounties + NGWAF
Bug bounties are continually testing your most important applications while NGWAF stands in the way of these attacks while providing visibility into attack data in real time. In isolation both NGWAF and bug bounties provide great visibility and data into real work attack patterns and risks against your application. Together NGWAF plus bug bounty programs allow enterprises to leverage continuous assessment against continuous defense resulting in a significant amount of attack telemetry. This telemetry helps you prioritize processes, improvements, and resource spend in every aspect of your application security program. In essence the ROI of bug bounties and NGWAF together are greater than the sum of the two.
As applications and attack surfaces get more complex, development cycles get quicker, and modern attackers get more creative and are more incentivized, we must make the commitment to adapt. By embracing continuous, smarter solutions, we can move beyond the perceived elimination of risk, and make inroads to invest in real results on a continual and realistic basis.
Big thanks to Signal Sciences who co-wrote this blog post.
