You finally have some budget to buy tools for your application security (AppSec) program! GREAT! Purchasing the correct tools for your AppSec pogram can be overwhelming. Even when looking only at point solutions, there still may be some confusion on the value that various tools can provide. Sometimes you’ll find the perfect tool, but others may offer you a similar tool with added manual penetration testing (MPT) as part of the overall bundle. That seems like a great idea for the budget. Let’s dive in and see what these types of value these other offerings really provide.
First, let’s cover the shortcoming of other Automated Tools + Manual Penetration Testing bundles. This is going to be pretty high level and will avoid comprehensive dives for ease of consumption. If you read anything, read the short bulleted list!
Who is doing your MPT as part of this engagement?
Veracode has world-famous authors and hackers on their MPT teams. Please reach out and ask for our MPT team profile and then google them! Chances are that your bundled MPT is being conducted by offshore teams to provide cost savings.
Apps don’t get great coverage with MPT
This is a light MPT engagement when bundled. Ask for regular pricing so you can see the difference. Typically you can gauge the effectiveness of the offering by comparing the 1-day retail price of MPT to what is offered in the bundled offering.
Cheap MPT and any other labor-intensive-based offerings DO NOT SCALE!
Think about it. MPT on demand? Do they have people staffed and waiting for you to make a request? How is it that the queue is not long? Also, claimed less than 1% FP rates due to manual labor scrubbing DO NOT SCALE. Remember, anything labor-intensive requires people being on payroll and WORKING. If they are not WORKING, they are on stand-by. We all know that no one is hired to be on stand-by.
Why Veracode’s Manual Penetration Testing value can NOT be beaten
Veracode’s value in MPT can be summarized into four major points. Single Pane Looking Glass reports Comprehensive Security Analysis Value, Remediation and AppSec Program Assistance, and scalability.
Single pane looking glass report
Veracode has a single pane looking glass capability that is unmatched in the industry. You can purchase Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration testing. Then you can generate a report with all the findings on one PDF in the context of a single application. With our big data analytics tools, you can then generate views on the entire organization portfolio or per team application’s security posture.
Comprehensive security analysis value
If you already are a customer of our automated tools, then MPT with Veracode generates a value proposition that CAN NOT be beaten. For example, if you are running daily/weekly SAST, DAST, and SCA checks. MPT will skip all the findings in those reports. This allows us to find more complex and nefarious things that automated tools simply can not do.
With other MPT offerings, the vendors must use the hours and will not know to skip the low-hanging fruit that our tools already caught such as SQL Injections, cross-site scripting, etc. Since other vendors don’t have access to the same analysis, they must generate as many findings as they can per hour. When you compare hour for hour MPT offerings against Veracode- you will find that Veracode can do more with an hour of MPT than any other vendor can.
Remediation and AppSec program assistance
Other vendors won’t have the experience in providing remediation advice or AppSec program assistance that Veracode has. Don’t spend hours looking for answers. Speak to one of our services experts to help you fix the findings we generate or help manage your application security program. This is not an extra add-on, this is included upfront so it is easy to forecast and budget. If your security or dev teams have questions- Veracode is there to help.
No other Vendor can scale like Veracode. In our automated tools, we don’t lean on manual labor to generate better findings. If we do, there is always a plan to automated as soon as possible. That means you can scale your AppSec program. Regardless if you scan 10 apps or 1000 apps, your scan is just another scan in our cloud.
Our cloud-native technologies scale by default. We were cloud before cloud was a word. Our technology was born on the internet. Scaling to meet customer demand is easy to do. We don’t require manual labor to scale up or scale out. It’s all in our cloud-based DNA.
Our services have been in place for years. You can lean on our experiences to assist in driving your AppSec program. We don’t need to hire more people in anticipation of your purchase. We have the teams already and have the customer base to support our services infrastructure. Your org is just another org in our services-based DNA!
*** This is a Security Bloggers Network syndicated blog from Application Security Research, News, and Education Blog authored by [email protected] (jmazo). Read the original post at: https://www.veracode.com/blog/managing-appsec/mpts-value-at-veracode