Short answer: frequently. Probably more frequently than you currently are. Security is an ongoing process: you’ll need to regularly reassess your system for vulnerabilities. If you want to do it right, though, cadence matters. The right reassessment interval for most apps is every three to six months. Some require more or less frequency, but most fall into this range. However, many companies think about security only annually or every two years. Some consider it even less frequently than that.
Download Ted’s free ebook, “How to secure your software faster and better.”
People tend to follow these inappropriately long timelines because somehow the idea of “annual” testing has become a commonly referenced idea. However, the world changes rapidly, especially when it comes to technology — this inherently changes your security posture since your last round of security testing. Furthermore, attackers are evolving at a relentless pace — if you aren’t reassessing your security often enough, it’s only a matter of time before they have the advantage. But it’s not too late to get back on schedule!
The risk of waiting to reassess
First, let’s talk about why you don’t want to defer security reassessment for too long. When you wait too long to reassess your company’s application, you undermine your own security mission. For perspective, think back to a year ago, and consider what your technology looked like. Consider what your industry looked like. A lot has changed, right? And don’t forget that your attackers have evolved, too. So why would it make sense to wait so long to reconsider security, with that much changing? It doesn’t. If you hit the right cadence, you account for change. If you wait too long, you cede the advantage to your attackers. You leave yourself unnecessarily exposed for too long. That can be a costly and avoidable mistake.
Finding the right reassessment cadence
So how often should you perform security assessments? The time frame between assessments should be driven by a variety of factors, such as how rapidly you develop, how valuable your assets are, how much of an attack target you are and how frequently your customers need assurance. As these factors increase, your time frame between assessments must decrease. Unfortunately, many companies pace their reassessment intervals on some arbitrary time frame instead. Many people think of security like an annual physical exam with your doctor: a necessary but annoying interruption that you do as infrequently as possible, and hope it doesn’t bring bad news. Instead, think of security assessments like nutrition: something you consider constantly. You shouldn’t evaluate your sugar intake once a year; you should evaluate it regularly. When you implement an appropriate assessment cadence rather than one that’s too long, you’ll find that it is more effective, and less expensive, too. Analyzing several years worth of our own security assessment data shows that the best cadence is every three to six months. This is long enough apart so that security doesn’t become cost-prohibitive, but frequent enough that you can quickly eradicate security flaws before they remain exploitable for too long.
Less expensive, more effective results
The benefit of finding the right assessment cadence is twofold: not only are frequent assessments more effective at preventing attacks, but in the long run, they’re also less expensive, too. When you perform assessments more frequently, you identify and remediate security vulnerabilities more quickly. You reduce opportunities for exploitation, accelerate knowledge transfer from your security experts to your developers and get more opportunities to learn from mistakes. Your developers improve faster and introduce fewer vulnerabilities. In short, more frequent assessments deliver better security faster. Security done at the right intervals is less expensive, too. This is because regular security creates efficiencies that accumulate massive savings over time. Your initial assessment is always going to be the most involved effort and thus the most expensive. By contrast, reassessments cost roughly 60% less (if done on the appropriate cadence). If you approach reassessments too infrequently, you’re essentially getting an initial assessment every time. But if you hit the right intervals, you get a streamlined effort, which costs substantially less. (For deeper analysis including real world numbers, see chapter 6 of “Hackable: How to Do Application Security Right”.)
Choose the right cadence for your company
Security is a lifetime investment; you’ll always be working on it. It will not end. So my advice to you is to invest in the initial assessment just once (and only once!), and don’t look back. Avoid the trap of waiting too long, which will result in you paying that higher price every time. Some companies might need more frequent assessments, some less, but again, the right cadence for most companies falls between three to six months. Anything longer than that, and you risk periods of prolonged vulnerability, which also makes it harder and more expensive to deal with later. If you are like most people in technology, you hate waste. You hate inefficiency. When you wait too long, you backslide on efficiency, thereby bringing your costs back up again. Stay on the right cadence, and you avoid that waste and get better results for less money.