How to find the perfect security partner for your company
An external security partner provides a valuable service: security testing, paired with objective advice on how to keep your applications secure. They often make the difference between protecting your data and suffering a breach, and that means you don’t want to hire just anybody — you want to hire the right security partner for your company’s needs.
Not all advisors are created equal, so you’ll want to choose carefully and consider a variety of factors: Do you need a product or a service? A tool-centric or human-centric partner? What specialization does your company need?
Download Ted's free ebook, "How to secure your software faster and better."
Different companies have different security needs, and by gaining an understanding of the main differences between security providers, you can select the right partner to protect your assets.
Products vs. services
First, you’ll want to decide what form your security solution should take. There are three types of security companies: companies that sell only products, companies that sell only services and companies that sell both.
Assuming your goal is to find and eradicate security vulnerabilities so you can build secure software systems, that goal requires an advisor. By definition, that’s a service, so you can rule out product-only companies (note: you will need products too for aspects of your security program; but for the sake of this article, we’re just talking about the testing and advisory aspects). Furthermore, be leery of companies that sell both services and products if those services result in buying their product. For example, their consulting might inform you of a security issue that just so happens to be solved by a product they sell. That brings into question the integrity of the recommendation in the first place.
For these reasons, I’d recommend you look for a company that only sells services (or sells services and products as long as the products are not the solution to the problems the service will discover). This way, you can trust that the advice they give you solves your problems, and isn’t distorted by a motivation to sell a product.
Tool-centric vs. human-centric
Second, once you’ve identified a few security-partner candidates, figure out whether they offer a tool-centric or human-centric service. Many “service” companies are just running an automated tool and presenting it as a service. You can’t scan your way to security excellence.
Instead, you want to find an advisor who has smart, experienced experts who can help you solve your problems with the creativity that comes with being a human. The work needs to be manual.
To find the truth about a company’s service, ask questions: Is their advice personalized? Who does the work? What are their qualifications? How much is automated? What data and reports will you receive? Dig until you understand exactly what you’re paying for.
What is their specialty?
Lastly, after you’ve narrowed down your candidates to just a few options, you’ll want to focus on their specialties. Make sure their area of expertise aligns with your business’s needs.
Some companies will present themselves as experts in everything. Be wary of that; no one is the expert in everything. Most companies, however, do have a specialization, even if they have a wide range of capabilities. Ask what their single strongest area is, and that should help guide you.
Vet the companies’ qualifications to ensure that they’re as good as they claim to be. Look for research they’ve published, talks they’ve given at industry conferences, documentation on their methodology, and the deliverables they give to clients. If any of these are lacking or missing altogether for a given security company, consider ruling them out.
Find the right security match for your company
A security company might be incredibly skilled at what they do, but if they aren’t a great match for your company’s needs, they won’t be your best choice.
11 courses, 8+ hours of training
Remember, as an external partner, it’s not just about security testing: this company will also serve an advisory role in guiding your company’s security practices. Like a personal trainer, they apply years of experience. They point out where your form is bad and help you fix it. They hold you accountable. They make you better.
For the best results, choose a service-based, human-centric company that specializes in the area you need most. Look for these traits, and you’ll find a partner who can help you achieve security excellence.
In this Series
- How to find the perfect security partner for your company
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
- Introduction to the OWASP API Top Ten
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security