9

Everything on Owasp's top 10 list, how do current small businesses (< 1000 employees) handle web application security, along with mobile security of their applications?

Do they care about info/app security? Do businesses of this size pay for static code analysis, or penetration testing? Or do they use some open-source framework/software to test?

Bill the Lizard
  • 6,731
  • 4
  • 19
  • 28
CodeTalk
  • 193
  • 3

5 Answers5

10

My experience is it depends on industry, regulations, and business relationships (not necessarily company size).

Examples:

  • <10 person company, building a web app that retrieves credit history, they were required by business partners to have a full webapp pentest

  • <50 person company, building a web portal allowing customers to view point of sale information, they fell under regulatory requirements (PCI) and partner requests to have their portal pentested

  • <5 person start-up trying to sell their web app to a bigger business, they were required to get their app evaluated for security during due diligence (code audit + pentest)
  • nearly all businesses building banking/financial web apps, in my experience, have to do something to show security is evaluated and usually for regulatory reasons (code audit + pentest)

Many smaller businesses choose pentesting over code auditing because it is typically cheaper (and they may not have access to all the source code if they utilize other commercial components).

Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
8

Short answer : NO.

It is indeed shocking to know that most companies do not care about the security stature of their product or are ignorant about it. Usually, the QA teams in these companies perfrom the testing, and maybe the test cases would include some attack vectors for XSS, SQLi etc. But I'm pretty sure that they would not have a dedicated process for security testing either threat modelling / code analysis / pen-testing. How do I know this ? By talking to people(both technical and non-technical) during mass career events, so I imagine, you could take this answer with around 70% confidence.

sudhacker
  • 4,260
  • 5
  • 23
  • 34
  • This answer is wrong. From my work experience ( < 1000 employees all the time), they use SCA, pentesting etc. Probably not as much as a Fortune 500 but it is done (Belgium) in most of the cases that I encoutered. And it went further than the owasp top 10.. – niilzon Mar 31 '17 at 13:20
  • niilzon - I agree. It was wrong in 2012 and is far more wrong now. That whole "how do I know this" bit is very misguided. I could as easily say I have worked with over 1000 companies, and just under 100% are aware of the security stature of their product and fight to do what they can about it within tight budget constraints. – Rory Alsop Mar 31 '17 at 15:32
7

I work with everything from small local businesses to Fortune 100 and FTSE 100 companies and one of the things I do find is that all sizes of company are trying to do something about security. Sure, the extent to which a small company can implement some security controls is limited by budget, but there certainly isn't a 100% correlation with big corporates doing it better than small companies.

Often small financial companies (150 employees say) are the best at this - implementing full information lifecycle management functionality including secure code development all the way through to secure destruction at end of life. For OWASP's top ten, there is nothing there that is out of reach of a company of this size. What it will come down to is what there motivation is:

  • If they are regulated, they will do what is required to pass audit
  • If they store personal information they will try to make sure they meet data protection requirements wherever they are
  • If they hold valuable intellectual property they will place controls to protect it
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • FWIW, I'm in the same geographic area and industry as Rory and totally agree. Some large organisations (even in finance) can make a complete mess of IT Security, i.e. "too big and complex" to ensure compliance. – Callum Wilson Jan 10 '13 at 11:00
2

I think that for many small businesses, it is easier to hope that it doesn't happen to you than to spend more on security than you did on creating the website.

Given 1) the ease of hacking SMBs and 2) the relative low risk, one would think that on a risk return basis, these would be the prime targets for hackers.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
Matthew Cohen
  • 31
  • 1
2

I am seeing and hearing about small businesses making attempts towards more integrated rather than reactive security measures.

Examples:

  • Building in security tests into their requirements and automated testing suites
  • Developers including static analysis tools (whether code-quality or security) in their development environments or even build process
  • Including security hardening configurations in their IaaS/PaaS system provisioning
  • Using web scanners (usually open source or cheap, such as W3AF) as part of pre-deployment processes

This seems to more often be the case for teams with talented dev and devops teams that can't afford manual, point-in-time (and ongoing) external security testing.

Todd Grotenhuis
  • 121
  • 4