Should You Outsource Product Security Maturity Modeling to a Third Party?

Should you outsource product security maturity modeling to a third party? 

On a recent episode of the Future of Application Security, FullStory’s VP of Product Security and Compliance, Mark Stanislav shared his views. Here’s what Mark advised AppSec and ProdSec teams to do: 

“It’s a struggle that I have I think because I did do program assessments when I worked at Rapid7. You know, I can [play] devil’s advocate, I can say that as an objective party that had no stake in the game, no politics, no salary, I can ask any question I wanted and really dive deep and aggressively towards a conclusion. And I think for many of my clients, it was a great experience and derived a lot of value for them. Simultaneously, doing this maturity assessment myself, one, it really establishes me as the leader of the program. Like, if I’m the person asking the questions, people learn my name, they learn what I’m interested in, what I’m concerned about. And when you start building those relationships at a new company, often people are really excited to help and partner and do what they need to do to enable you to be successful. But we’re not great, especially in security, at knowing how to ask for what we want in the right way. And so when you use a maturity model, it’s almost like the maturity model is the objective third party and I’m just like the passive participant where I’m asking people questions that could be in other cases, kind of pointed or maybe come off as like, “Well, is he judging me?”. But when it’s this maturity model that I didn’t create, it’s just “I’m just going to build this out and the answers are the answers”. So it diffuses the tension of a new employee to a new company, and lets people give honest feedback. And then when I do that assessment once, I think the other gap here is when I use a maturity model I actually score it every quarter. This isn’t once a year, this isn’t once every three years, this is every quarter. And we can get some other details on why quarterly makes sense, but I think from that perspective I don’t also want to bring in a third party firm every quarter. That creates a whole other set of problems for me to manage through and cost is also like a reasonable consideration there. So I think there’s a lot of pros and a couple cons but overall, for a leader in a security program, I think it’s a great investment to do it yourself. “ 

Check out Mark’s full episode here: How FullStory Measures & Improves Product Security