Top 7 Strategies for Overcoming IT Talent Shortages
Learn from Cenzic's Chris Harget as he describes the top strategies for maximizing security effectiveness of current staff and resources. Specifically, you'll learn:
- Symptoms you are short-handed
- Key indicators for which strategy will maximize value from existing staff and resources
- Creative tips for convincing your organization to make changes
The current market environment makes finding, training and retaining the right IT employees challenging. Challenges or not, you can gain the skills to protect your organization from excessive security risk. This presentation is a great place to start.
4. Know The Signs
Incomplete picture of security posture
Backlog of untested applications
Slow remediation when app vulnerabilities discovered
Things done wrong/done twice
Too many long shifts
Open reqs, hiring freezes, “irreplaceable” departures
No vulnerability monitoring of production apps
Data Breeches
4
Cenzic, Inc. - Confidential, All Rights Reserved.
5. The Need Is Significant
Source: Cenzic Application
Vulnerability Trends Report 2013
5
Cenzic, Inc. - Confidential, All Rights Reserved.
6. Mobile App Vulnerability Types - 2012
Source: Cenzic Application
Vulnerability Trends Report 2013
6
Cenzic, Inc. - Confidential, All Rights Reserved.
7. Benchmarks For IT Security Staffing…
…Are Really Hard To Come By.
How many security analysts/100 apps?
That depends on;
– Size of apps
– Depth of scan desired
– Coding practices
– Scanning frequency
– Quality of scanning tools
– Division of labor with QA/Dev/Production/GRC
7
Cenzic, Inc. - Confidential, All Rights Reserved.
8. Know Your Specific Shortage
Not enough bodies
Not enough time
Not enough skills
Not enough tools
8
Cenzic, Inc. - Confidential, All Rights Reserved.
10. Bodies: Finding/Hiring/Renting
Job titles include;
– Application Security Analyst/Architect
– Penetration Tester
– Application Security Engineer/Tester/Specialist
– Ethical Hacker
If you can’t hire locally, consider managed services
– May be easier/faster than getting increased headcount
– Helps jump-start process
10
Cenzic, Inc. - Confidential, All Rights Reserved.
11. Time: Prioritize, Specialize, Automate
Prioritize
– Are you mitigating the biggest risks first?
Specialize
– What tasks are best done by your team?
– e.g., Remediation, Management,
– What tasks can be offloaded?
– e.g., Dev trains app traversals or Managed Service runs scans
Automate
– Leverage Enterprise-grade tools
11
Cenzic, Inc. - Confidential, All Rights Reserved.
12. Talent/Skills: Train, Borrow, Rent
Train
– How to scan, coding best practices, how to manage
Borrow
– Get Developers for app training & Remediation
– Get QA for re-running scans
Rent
– Managed Services can augment specialized tasks
12
Cenzic, Inc. - Confidential, All Rights Reserved.
13. Tools: Quality and Quantity
Quality
– More accurate scanners improve security and save time
– Quantified app risk scores enable optimal risk mitigation
– Enterprise dashboard shows total risk and trends
Quantity
– Web-based app-training tool goes everywhere needed
– Having enough seats for each Analyst, Developer, QA,
GRC, and Executive leverages whole organization
13
Cenzic, Inc. - Confidential, All Rights Reserved.
14. Top 7 Strategies
1. Hire
2. Prioritize
3. Specialize
4. Automate
5. Train
6. Borrow
7. Rent
8. Quality/Quantity
14
Cenzic, Inc. - Confidential, All Rights Reserved.
16. Justifying Resources
Non-technical people need non-technical
explanations
– Keep it simple
– Use cost-benefit for budget
– Use relative-risk for reallocating people
Quantified risk is easier to understand
– E.g., Cenzic’s HARM™ scores
Bonus: Watch “Top 10 Ways To Win Budget for
Application Security”
https://info.cenzic.com/webinar-security-budget.html
16
Cenzic, Inc. - Confidential, All Rights Reserved.
17. Making the Case Simply…
Hackers use hidden Application commands to
steal data and damage web sites.
Gartner Group says 75% of attacks now target
the Web Application Layer
Scanning tools and App Security experts help
efficiently find and patch these vulnerabilities.
17
Cenzic, Inc. - Confidential, All Rights Reserved.
18. Detects Web & Mobile App Vulnerabilities
Easy-to-use Software, DIY Cloud, or Managed Service
Accurate behavior-based Scanning protects
– 500,000+ online applications
– $Trillion+ of commerce
Delivers best continuous real-world Risk Management
18
Cenzic, Inc. - Confidential, All Rights Reserved.
19. Tools
Cenzic Enterprise
– Unified console
– Web-based app-configuring makes it easier/more
affordable for people all over your enterprise to contribute
– E.g., Developers can define traversals of their own apps
19
Cenzic, Inc. - Confidential, All Rights Reserved.
20. Application Vulnerability Monitoring In Production
.Identify Risk
=
+
Mitigate
Risk
=
One-click virtual patching
via tight integration with leading
Web Application Firewalls
20
Cenzic, Inc. - Confidential, All Rights Reserved.
21. Managed Services Offerings – At-a-glance
Bronze
Silver
Industry BestPractices for
Brochureware
sites
Phishing
Light input
validation
Data Security
Session
management
OWASP
compliance
PCI compliance
Business logic
testing
Application logic
testing
Manual
penetration
testing - Confidential, All Rights Reserved.
21
Cenzic, Inc.
X
Gold
Platinum
Industry BestPractices for forms
and login protected
sites
Compliance for
sites with user
data
X
X
Comprehensive
scans for Mission
critical
applications
x
x
X
X
X
X
X
X
x
x
X
X
x
X
X
x
x
x
x
22. Compliance in a Hurry
Who?
– A Health Maintenance Organization
Need?
– Deep scan of a new application on a tight development
schedule to ensure compliance.
Solution?
– Cenzic PS performed Manual Penetration testing along
with the comprehensive vulnerability scanning to provide
a very thorough scan which could suffice for any
compliance or audit need.
22
Cenzic, Inc. - Confidential, All Rights Reserved.
23. Rapid OnBoarding of New Apps
Who?
– A Fortune-100 Banking and Services company
Need?
– Quickly begin scanning 110 applications
Solution?
– Cenzic PS did Custom Onboarding Engagement,
training each app traversal so that the Bank’s IT
Security Analysts could then run scans
themselves using Cenzic Enterprise software.
Result?
– Met their timeline needs, and kept the scanning
results in-house, per their corporate policy.
23
Cenzic, Inc. - Confidential, All Rights Reserved.
24. Methodology Assessment With Developers
Who?
– Global NGO with thousands of web sites
Need?
– Methodology Assessment of their security posture, and
real-world training of their Developers
Solution?
– Cenzic PS did a 3-day engagement with their App
Developers.
– Reviewed 10 most common vulnerabilities, found
examples in their production apps.
– Cenzic PS demonstrated on a Live Demo site how a
hacker could exploit those specific types of vulnerabilities
– Reviewed coding best practices to completely eliminate
said vulnerabilities.
24
Cenzic, Inc. - Confidential, All Rights Reserved.
25. Vulnerability Scanning a Mobile App
Who?
– High technology company with a mobile
application that accessed sensitive customer
data
Need?
– Vulnerability Scan a mobile app that
can not be traditionally traversed with a spider.
Solution?
– Cenzic Mobile Scan service performed a dynamic
analysis by placing a proxy in line to the mobile app,
which allowed technicians to replay various attacks
and coupled it with a thorough forensic analysis of
the application on the device to identify
vulnerabilities that exposed customer data.
25
Cenzic, Inc. - Confidential, All Rights Reserved.
26. Fitting Strategy to Your Need
1. Hire
2. Prioritize
3. Specialize
4. Automate
5. Train
6. Borrow
7. Rent
8. Quality/Quantity
26
Cenzic, Inc. - Confidential, All Rights Reserved.
27. Cenzic Can Help
Train your people
Give them better gear
Have someone else carry the baton
27
Cenzic, Inc. - Confidential, All Rights Reserved.