Security as Standard
Stuart Gunter Equal Experts Alumnus

Our Thinking Mon 27th November, 2017

Introducing Security as Standard

Software engineering is a core part of what we do at Equal Experts. We’re focused on delivering the best product to our customers – and demonstrating it through sound engineering practices.

We value verification over wishful thinking, and demonstrate this through various techniques – giving confidence that we’re building the right product, in the right way. We are transparent with our clients by delivering well-tested software that verifiably does what it should. While that predominantly covers features, we believe our clients deserve the same level of transparency when it comes to security.

With that in mind, we’re introducing a new seal of quality on all new engagements – Security as Standard. Under this offer, we ensure all our work meets a defined minimum level of security, based on recognised industry standards. And should we ever fail to achieve this standard, we will rectify the issue at no additional cost.

Of course, we’ve always sought to ensure high levels of security via sound technical discipline, and our clients don’t tend to find themselves needing this offering. But Security as Standard does offer significant value to our clients. Not only can you feel confident in the quality of any software we deliver, but you are also able to demonstrate accountability. You may even find it reduces your premiums for cyber insurance (though this is one thing we can’t guarantee!).

How it works

We’ve decided to adopt the OWASP Application Security Verification Standard (ASVS) as the benchmark for our security efforts. There are a number of reasons for this:

  1. OWASP is a non-profit, vendor-neutral, open community organisation dedicated to improving application security. We value diverse community opinions that are not influenced by commercial interests or biased towards particular products, and OWASP provides this.
  2. The ASVS is an industry standard in widespread use, with an active community behind it. It also maps well to other popular projects/standards such as the OWASP Top 10 and PCI DSS.
  3. Level 1 is considered the minimum level of security for all applications, which makes it suitable as the entry-level security baseline for all our engagements.

Why offer a minimum level of security?

Well, for a start we don’t want to risk ‘over-securing’ applications that don’t need it (otherwise known as ‘goldplating’). It’s a waste of time and (your) money. Secondly and perhaps more importantly, we want to help organisations grow in their own security capabilities over time. We believe using the ASVS levels to start this journey and drive security maturity is a good way to change the way we collectively think about and deliver secure software.

In other words, it’s the beginning of the conversation around security, not the end goal.

Security as a Conversation Starter

One of the key benefits of ‘Security as Standard’ is in the way it aids our conversations with clients. By using the ASVS as a talking point, we’re immediately in a position to have more meaningful conversations about software security.

We can clearly identify the security requirements we’re covering as standard, allowing us to highlight those areas that may need additional focus. The intention is not to stop at Level 1 (or to use it as a tickbox exercise), but to work collaboratively to identify the most appropriate security level for each application and work towards that shared goal. Together with this and other industry resources, we can help clients identify how they match up to similar organisations, and where they should be investing in security based on their own specific needs.

Every situation is different

Some organisations know they aren’t doing enough on security, but because they don’t know what that means in practice, they don’t know where to start to improve matters.

Others believe they’re already doing enough and building secure software, but don’t have the evidence to support their position.

In both cases, adopting a baseline standard helps to define practical steps towards achieving the goals of the organisation, and provides a means of measuring progress against that goal.

When organisations better understand security risks and their own current position, they are better placed to make informed, risk-based decisions on future work. We’re pleased to introduce Security as Standard to help our clients avoid the knee-jerk reactions that are commonly seen in response to headline news – and instead focus on meaningful, measurable security improvements.