Walking away from vendor certificates
Vendor certificates are often seen as the highlight of an application security program. Find out why I think walking away from vendor certification can actually accelerate your application security program to new levels.
Scott Mitchell
Setting the scene
You have proudly led your team to achieve the highest certification awarded by a world-leading security Application Security Testing (AST) vendor.
You have smashed it!
The top tier for security testing has been achieved. You also bagged a world-first, receiving the newly set up add-on certification proving your AppSec Maturity.
The bells are ringing, and the sun is shining. You're enjoying a considerable advantage over your competitors and your name is all over the vendors marketing materials. The world can see that you are unequivocally the best (at least in the eyes of the vendor).
Things are good, REALLY good. Why on earth would you even consider turning your back on this success story?
Have I gone insane?
Let me explain my madness based on my previous experience.
You are limited to someone else's vision.
Working to someone else's vision is fine whilst progressing, but when you reach the very top, you realise there's a bigger world to explore, and you shouldn't be held back.
When all the hard work has been completed, you will have more time to "come up for air". During that time, you will start to look at what you have achieved and how you can build upon it.
Your shiny new vendor certificate will have given you a great baseline, but is it an exact fit? To get a perfect fit, you realise you must stop doing things with no real value and focus on doing the right thing for your program and team.
This evolution won't be easy, but you foresee enormous benefits. You are venturing outside the certificate "bubble" and are starting to have big ideas. Unfortunately, these ideas for improvement may conflict with the certificate, even though they lead to better outcomes.
You are locked into specific toolsets.
The process of obtaining a vendor's certificate is usually heavily focused on using their own toolset. The use of other tools will be permitted but won't be included as part of the certification process.
This is hugely disappointing and presents a massive blocker for improvement.
Whilst generally very capable, not all the tooling supplied by a single vendor are market-leading and can be severely lacking in some areas. They will tick a box, but it will eventually feel like they are being forced upon you.
You start to ask yourself. What if there are better options out there?
Being stuck with the tooling you know isn't the best fit for your team isn't great. You could run both in parallel, but that's very costly and inefficient.
You want to up our game. You have sought out "best of breed" tools that fit in with your shift-left mentality and enablement strategies, but you're effectively blocked from using them.
You shouldn't have to make sacrifices for the sake of the certificate; maybe it's the certificate which needs to be sacrificed?
You have no sustainable point of difference
You can't deny that security can be leveraged as a competitive advantage. If you prove that your product is more secure than your competitor, you have a clear head start.
What happens when your competitors get the same certificate?
Suddenly you realise that all the cool things you have been doing in addition to the certificate are being ignored! Even if you look at the finer detail and it's clear that you work to a much higher standard, the certificate will always dictate your performance.
Your trump card has become your Achilles heel because now, on paper, you're all the same.
Frustratingly, this can be your own doing. All efforts have likely been poured into the certificate and your partnership with a single vendor. Your security program isn't special or unique anymore; it's the output of a PR machine, and the shiny badges on your website prove it.
Time to walk away
The frustration has built up, and the evidence is overwhelmingly clear. Your vendor certificate is actually holding you back and not driving you forward anymore.
Walking away will allow you to take back ownership and forge your own path. You can work to your vision and fulfil your dream of delivering security excellence.
Moving away from something you have been heavily invested in can feel like a massive gamble. From a security perspective, it's the right thing to do. You know that dropping the certificate could and probably will be used against you.
This is a challenge I have successfully overcome personally.
In practice, eyebrows will be raised, but the pros outweigh the cons. In my experience, the change was very positive and well received by customers and the business.
Yes, you will lose the certificate and badges, but no one can ever take away your past achievements. Like a trophy you got from childhood, it's still in the cabinet; you have just moved on to bigger and better things.
Moving forward, everything you do can evolve around your specific team and security needs. Your program and process can be tailor-made to fit the team's work and technologies.
Streamline process, adopting flexible, accurate and engaging best of breed" tools, and marketing opportunities with multiple vendors are just a few of the many benefits of breaking free.
The chains are off; you're free to continue reaching the top.
Should a vendor certificate be avoided?
A vendor certificate has some limitations and restrictions you need to be aware of, but it still has many positives.
It's a fantastic option for businesses that don't have an established team or want an accelerated start-up.
The great thing about vendor certificates and programs is that everything is planned out for you. Methodologies are tried and tested, people are there to provide support, and you have a wealth of experts looking at how they can improve your application security.
Without that initial baseline certification can provide, your program's development could be slow and cumbersome. Vendor certification can provide accelerated growth and give you the time and knowledge to understand where you really need to go.
Conclusion
Vendor certificates can be fantastic for those starting out wanting an out-of-the-box security program.
It's important to understand from the off that things will never be an exact fit. Boxes will be ticked, and there will be good (enough) security coverage to get you started. They also come with great benefits. For example, you can offload some of your AppSec workloads and have backing from a big corporate PR machine to promote your efforts. There is nothing to say you can't do this yourself, but a bespoke program requires a great deal of knowledge and time, a luxury some don't have.
On the flip side, you may experience restrictions and limitations that will be problematic later. Before you get too invested, think about some of the points that have been raised. Decide what is important to you.
Ultimately each team is unique; only you can decide what direction you take.
