- History of the Company
- Size of the Company
- Areas of Expertise
History of the Company
Has the company been around for decades or did it just pop up yesterday? A company that has been around for a number of years may indicate stability and returning customers. If the company is brand new, you need to perform due diligence on its viability to ensure the company won't go out of business during your project.
Tip: Ask the company who its longest retained customer is and why they keep coming back.
Size of the Company
The size of the company you are considering should be taken into account. A large company may have more resources but may also be less flexible. A smaller company may be more nimble and easier to work with but may not have as many resources. Consider what is important to your business and make a decision accordingly.
Tip: Larger companies are known for performing a 'bait and switch' of the expert on the initial call with a junior resource when it comes time for delivery. Always ask who exactly will be working on your project.
Areas of Expertise
The company you choose should have a good understanding of application security and be up-to-date on current threats. They should also have experience with the type of applications you are using. For example, if you have a mobile app, you will want to make sure the company has experience assessing mobile apps. Make sure to ask about their areas of expertise during the selection process.
Tip: Network penetration testing and application security assessments are two entirely different disciplines. Ensure that the company that you're working with knows the differences and can explain their methodologies for testing.
The reputation of the company is important. You will want to read reviews and talk to other companies who have used their services. A good way to get started is by asking for referrals from your network. Once you have a few companies in mind, you can start doing your own research.
Tip: Always ask for a past client reference with a similar project to the one you're looking to undertake. Insist on having the reference call without the company being on the phone so that their client can speak freely and not feel unduly pressured to say nice things."
Last but not least, you will want to consider pricing when making your decision. Some companies charge hourly while others charge per project. There are pros and cons to both pricing models so it is important to understand what pricing model makes sense for your business before making a decision.
Tip: You often get what you pay for. If the price sounds too good to be true, it likely is. If the price is ridiculously high, the company may. not have properly scoped your project.
Choosing an application security assessment company does not have to be difficult if you know what factors to consider. History, size, areas of expertise, reputation, and pricing are all important factors that should be taken into account during the selection process. Once you have considered all of these factors, you will be well on your way to finding the right application security assessment company for your business!
Andrew Hay is the COO at Lares and is a veteran cybersecurity executive, strategist, industry analyst, data scientist, threat and vulnerability researcher, and international public speaker with close to 25 years of cybersecurity experience across multiple domains. He prides himself on his ability to execute the security strategy of the company with which he works without neglecting business objectives and the needs of its customers. Andrew is the author of multiple books on advanced security topics and is frequently approached to provide expert commentary on industry developments. He has been featured in publications such as Forbes, Bloomberg, Wired, USA Today, and CSO Magazine.