The two most commonly cited reasons by CTOs, software engineering managers and SaaS executives for not conducting penetration tests on their cloud software and mobile apps are:
- We’ve never been hacked – why would we spend on penetration testing?
- Penetration testing is too expensive, I can’t afford it.
Are you being ignorant about investing in penetration testing?
On face value, both reasons sound reasonable. But let’s quickly tackle the first, which I think is a case of ignorance.
Ask yourself, do you only get car insurance for your car after it gets stolen?
As hackers become more sophisticated and strategic, in many cases companies don’t even know they have been hacked for months on end. The recent attacks on Instacart and Nutribullet are classic examples of why it doesn’t pay to take a “head in the sand” approach to your application security.
The risk of being attacked, anecdotally at least, is even higher when you publicise a successful capital raising, investment discussions or acquisition talks.
As our co-founder Ayush Trivedi put it:
“Application security investments are like insurance policies. The annual payments might rankle you, but you end up smiling ear-to-ear when that same policy helps you dodge one of life’s unexpected fires.”
How expensive is cloud software penetration testing?
Most people answer this question in the simplest terms: that a penetration testing services provider charges x amount for a project, therefore penetration costs x amount.
But it’s never that simple. That figure above doesn’t consider important contributing factors and the potential costs of inaction (all figures from a recent IBM cybersecurity survey):
- It takes companies 197 days to identify and 69 days to contain a breach.
- The cost alone of notifying customers about a breach averages $740,000 in the United States.
- The average cost per lost or stolen record is $148.
- Companies that deploy security automation have a 55% lower average breach cost than those that don’t.
- On top of the remediation costs, you will be fined. Fines will vary depending on where you are based, but if you fall under GDPR regulations then you could be fined €20 million or 4% of your company’s worldwide annual revenue of the previous financial year.
I think you will agree that paying even a 5-figure amount for web app penetration testing is more palatable than shelling out for the costs above!
So while penetration testing isn’t nearly as expensive as something like Oracle E-Business Suite testing tools and services, it is amazingly beneficial in terms or ROI.
So what is the real cost of penetration testing?
Penetration testing costs vary depending on the application that needs to be tested and a few other key questions about the nature of the outcomes you want to achieve:
- Is your goal just a secure app or are you looking for a different ROI?
- Do you know the frameworks against which you want your penetration tests performed?
- What outcomes will help your dev team minimise the time they spend fixing security vulnerabilities?
- Do you want an automated vulnerability scan or full grey-box penetration testing?
- Do you have accreditations like ISO27001 or SOC2 that require this pen test?
- What user stories/data in your application do you consider high risk?
- How will you ensure that vulnerabilities don’t re-appear during future sprints?
With so many variables to consider, you can understand why it is so difficult to provide just one cost for a web or mobile app penetration testing project.
However, as a general rule of thumb, you should ask serious questions about the robustness, relevance and worth of any web application penetration testing project that costs less than US$5000.
Just as not all car mechanics are skilled or accredited to work on all types of cars, not all penetration testers have the know-how and experience to conduct penetration tests on all types of cloud applications.
How to reduce penetration testing costs for cloud software?
This is a great question and unfortunately one that is not asked nearly often enough.
Contrary to popular belief, penetration testing is just one element (although still an important element) of a cohesive and effective modern application security program.
You can do three simple things to ensure that your penetration testing expenses are minimised on a per-project basis or because you have to conduct fewer penetration tests throughout the year:
- Build application security into your product development process, right from the design phase. An easy-to-use application security checklist can help you ensure that your team is incorporating all the necessary security controls into your cloud software before a single line of code is written.
- Ensure that your web application and its infrastructure is configured with the right HTTP security headers – these headers are your first line of defence and will help your application repel many attempted attacks. Use the free HTTP security header analysis tool available at CyberChief.ai to conduct your audit.
- Conduct regular vulnerability scans on your application and infrastructure using smart, cloud-based automated penetration testing tools like Cyber Chief.
By putting this type of application security program in place you can have greater certainty and stress less about getting hacked. Given that increased stress leads to a higher chance of breaking teeth, you will also be spared the cost of visiting a dentist to fix your chipped or broken teeth.
Donna is a cybersecurity marketing analyst at Audacix. World-class SaaS and digital software teams use Audacix’s and penetration testing services to avoid “oh s**t Monday’s”!
If you want to ship your SaaS with zero security holes and fewer bugs, talk to the Audacix team now.