November 17, 2022

Last Updated on January 14, 2024

The traditional approach to cloud application development outsourcing is to hire experts to code your application and then operate and maintain it in-house. That’s generally the cheapest, most secure way to roll… Right?

To share security best practices across the cloud application lifecycle, a recent episode of The Virtual CISO Podcast features Jeff Schlauder, Founder at Catalina Worldwide LLC. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.


Think full lifecycle

Looking at costs—and security risks—from a full application lifecycle perspective plugs a different set of variables into the outsourcing equation. It takes special expertise to operate a cloud-based application securely, just as it does to build it securely. Managing cloud apps with a skills deficit can leave SMBs vulnerable.

“There’s a common misconception that just having somebody build it and then you’ll run it will somehow end up with a more secure application or less cost,” says Jeff. “And typically in our experience that just isn’t the case.”

If a vendor is building an application and handing that off as a one-time effort, they will most likely charge more for the work than if it were part of a bigger picture.

Counterbalancing that added cost is what Jeff calls the “paved road approach”: “If we’re going to build it and we’re going to manage it, we’re going to build it using the technologies that we’re comfortable with, [leveraging] industry best practices.”


Minimizing customizations

Jeff advocates minimizing “customizations” (deviations from the paved road) across the application lifecycle from development to full production maturity to avoid introducing risk and adding cost.

“Each customization brings risk with it,” Jeff points out. “Our approach of following our paved road can actually end up making it less expensive to build and operate the application than it would if we took a set of requirements from a customer, built it from scratch and handed it off.”

For Jeff and his team, truly understanding the client’s business goals and requirements from the outset is crucial.

“Do we want to develop the relationship where we’re part of the operationalized, fully deployed application, or not?” recaps Jeff.


Can you have too much automation?

In discussing best practices, Jeff shares that “automating everything” is not always an ideal approach. Even with enterprise global applications, having manual gating criteria in the right places can lead to the most rigorous security and highest service quality.

“Even in the way that we manage most of our infrastructure, we don’t automate everything,” offers Jeff. “Not that we couldn’t. But where we stop and have gating criteria allows us to really feel comfortable that moving forward is the right thing to do. Versus just pushing a button, deploying code and running with that.”

What’s next?

To hear this podcast episode with cloud app security expert Jeff Schlauder all the way through, click here.

Application security is a team sport. How is your team doing?: Application Security is a Team Sport. Is Your Team Winning?

Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!