Top 7 Strategies for Overcoming IT Talent Shortages

Cenzic Live! Webinar: Top 7 Strategies For
Overcoming IT Security Talent Shortages

Chris Harget Product Marketing
1

Agenda

 Symptoms

 Strategies

 Finding The Win

2

Cenzic, Inc. - Confidential, All Rights Reserved.

Symptoms Of IT Security Talent Shortage

3

Know The Signs
 Incomplete picture of security posture
 Backlog of untested applications
 Slow remediation when app vulnerabilities discovered
 Things done wrong/done twice
 Too many long shifts

 Open reqs, hiring freezes, “irreplaceable” departures
 No vulnerability monitoring of production apps

 Data Breeches

4


The Need Is Significant

Source: Cenzic Application
Vulnerability Trends Report 2013
5


Mobile App Vulnerability Types - 2012

Source: Cenzic Application
Vulnerability Trends Report 2013
6


Benchmarks For IT Security Staffing…
…Are Really Hard To Come By.
 How many security analysts/100 apps?
 That depends on;
– Size of apps
– Depth of scan desired
– Coding practices

– Scanning frequency
– Quality of scanning tools
– Division of labor with QA/Dev/Production/GRC
7


Know Your Specific Shortage
 Not enough bodies

 Not enough time

 Not enough skills

 Not enough tools
8


Strategies For Overcoming IT Security Talent Shortage

7.2

9

Bodies: Finding/Hiring/Renting
 Job titles include;
– Application Security Analyst/Architect
– Penetration Tester

– Application Security Engineer/Tester/Specialist
– Ethical Hacker

 If you can’t hire locally, consider managed services
– May be easier/faster than getting increased headcount
– Helps jump-start process

10


Time: Prioritize, Specialize, Automate
 Prioritize
– Are you mitigating the biggest risks first?

 Specialize
– What tasks are best done by your team?
– e.g., Remediation, Management,
– What tasks can be offloaded?
– e.g., Dev trains app traversals or Managed Service runs scans

 Automate
– Leverage Enterprise-grade tools

11


Talent/Skills: Train, Borrow, Rent
 Train
– How to scan, coding best practices, how to manage

 Borrow
– Get Developers for app training & Remediation
– Get QA for re-running scans

 Rent
– Managed Services can augment specialized tasks

12


Tools: Quality and Quantity
 Quality
– More accurate scanners improve security and save time
– Quantified app risk scores enable optimal risk mitigation
– Enterprise dashboard shows total risk and trends

 Quantity
– Web-based app-training tool goes everywhere needed
– Having enough seats for each Analyst, Developer, QA,

GRC, and Executive leverages whole organization

13


Top 7 Strategies

1. Hire
2. Prioritize

3. Specialize
4. Automate

5. Train
6. Borrow

7. Rent
8. Quality/Quantity
14


Justifying Resources
 Non-technical people need non-technical
explanations
– Keep it simple
– Use cost-benefit for budget

– Use relative-risk for reallocating people

 Quantified risk is easier to understand
– E.g., Cenzic’s HARM™ scores

 Bonus: Watch “Top 10 Ways To Win Budget for
Application Security”
https://info.cenzic.com/webinar-security-budget.html
16


Making the Case Simply…

 Hackers use hidden Application commands to
steal data and damage web sites.
 Gartner Group says 75% of attacks now target
the Web Application Layer

 Scanning tools and App Security experts help
efficiently find and patch these vulnerabilities.

17


Detects Web & Mobile App Vulnerabilities
 Easy-to-use Software, DIY Cloud, or Managed Service
 Accurate behavior-based Scanning protects
– 500,000+ online applications
– $Trillion+ of commerce

 Delivers best continuous real-world Risk Management

18


Tools
 Cenzic Enterprise
– Unified console
– Web-based app-configuring makes it easier/more

affordable for people all over your enterprise to contribute
– E.g., Developers can define traversals of their own apps

19


Application Vulnerability Monitoring In Production

.Identify Risk

=

+
Mitigate
Risk

=

 One-click virtual patching
via tight integration with leading
Web Application Firewalls
20


Managed Services Offerings – At-a-glance
Bronze

Silver

Industry BestPractices for
Brochureware
sites

Phishing
Light input
validation
Data Security
Session
management
OWASP
compliance
PCI compliance
Business logic
testing
Application logic
testing
Manual
penetration
testing - Confidential, All Rights Reserved.
21
Cenzic, Inc.

X

Gold

Platinum

Industry BestPractices for forms
and login protected
sites

Compliance for
sites with user
data

X

X

Comprehensive
scans for Mission
critical
applications
x
x

X

X

X

X

X

X

x
x

X

X
x
X
X

x
x
x
x

Compliance in a Hurry
 Who?
– A Health Maintenance Organization

 Need?
– Deep scan of a new application on a tight development

schedule to ensure compliance.

 Solution?
– Cenzic PS performed Manual Penetration testing along

with the comprehensive vulnerability scanning to provide
a very thorough scan which could suffice for any
compliance or audit need.

22


Rapid OnBoarding of New Apps
 Who?
– A Fortune-100 Banking and Services company

 Need?
– Quickly begin scanning 110 applications

 Solution?
– Cenzic PS did Custom Onboarding Engagement,

training each app traversal so that the Bank’s IT
Security Analysts could then run scans
themselves using Cenzic Enterprise software.

 Result?
– Met their timeline needs, and kept the scanning

results in-house, per their corporate policy.

23


Methodology Assessment With Developers
 Who?
– Global NGO with thousands of web sites

 Need?
– Methodology Assessment of their security posture, and

real-world training of their Developers

 Solution?
– Cenzic PS did a 3-day engagement with their App

Developers.
– Reviewed 10 most common vulnerabilities, found
examples in their production apps.
– Cenzic PS demonstrated on a Live Demo site how a
hacker could exploit those specific types of vulnerabilities
– Reviewed coding best practices to completely eliminate
said vulnerabilities.

24


Vulnerability Scanning a Mobile App
 Who?
– High technology company with a mobile

application that accessed sensitive customer
data

 Need?
– Vulnerability Scan a mobile app that

can not be traditionally traversed with a spider.

 Solution?
– Cenzic Mobile Scan service performed a dynamic

analysis by placing a proxy in line to the mobile app,
which allowed technicians to replay various attacks
and coupled it with a thorough forensic analysis of
the application on the device to identify
vulnerabilities that exposed customer data.
25


Fitting Strategy to Your Need

1. Hire
2. Prioritize

3. Specialize
4. Automate

5. Train
6. Borrow

7. Rent
8. Quality/Quantity
26


Cenzic Can Help
 Train your people
 Give them better gear
 Have someone else carry the baton

27


Questions?
request@cenzic.com or 1.866-4-Cenzic
Blog: https://blog.cenzic.com
www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)

Top 7 Strategies for Overcoming IT Talent Shortages

Recommandé

Recommandé

Contenu connexe

Dernier

Dernier (20)

En vedette

En vedette (20)

Top 7 Strategies for Overcoming IT Talent Shortages