In an earlier blog, we described how Tech Mahindra had expanded its performance engineering testing to embrace the Internet of Things (IoT), and here we take a look at how the company is handling another area of non-functional testing: software security testing.

Tech Mahindra provides security services through its Cyber Security practice, a horizontal line of business. The practice has a headcount of 650 personnel, has 85 active clients, and has several service offerings/sub-practices:

• Consulting and GRC
• Identity and Access Management
• Security Operations and Monitoring (through security operations centers in Pune and Delhi)
• Application Security.

Most contracts are small (up to $10m), with clients mostly in the U.S. and U.K., across sectors. Tech Mahindra has a larger client base larger in telecoms, a reflection of the company’s background in communication service provision, and it is expanding to BFSI and manufacturing.

Application Security is a significant activity for the Cyber Security practice, accounting for 25% of revenues, and with a headcount of ~120. The Application Security sub-practice is responsible for:

• Addressing attacks that target security gaps in applications
• Creating transactions to check data, access and privilege-based security issues
• Addressing non-compliance to regulatory and security standards.

Application Security has several activities across the software development lifecycle, including dynamic application security testing (DSAT), ethical hacking, static application security testing (SAST), and security design review. Of these, ethical hacking (e.g. manual and automated penetration testing) remains one of the services most in demand, along with related project-based activities (including code reviews, threat modeling, and application design review), plus training and ‘shift-left’ consulting.

Penetration testing is in demand as an effective way of security testing, and also for compliance reasons; e.g. as part of quarterly audits, or by data center operations for certification purposes. Most of the applications tested are web-based applications, web sites and mobile apps.

One of the challenges face by the Application Security sub-practice is expanding project-based testing into multi-year contracts, with TCV currently up to $10m over five years. The sub-practice argues that, contrary to functional testing activities, it does not provide a pass/fail service; rather, it continuously looks for vulnerabilities, not knowing where the next attack will come from, including finding vulnerabilities in previously tested code. For this reason, Tech Mahindra has created its Application Security Bureau offering for multi-year contracts, where delivery of application security is provided by Tech Mahindra, but with governance remaining in the hands of the client organization.

In spite of this, client demand remains very much project-based, largely constrained by budget availability. As a result, Application Security has expanded its service offerings and pricing model to accommodate clients with limited budgets. These offerings are:

• Security Test Factory (where the client buys services from a service catalog, and where teams are provided on a flexi model)
• Security Liaison (where one of Tech Mahindra’s consultants acts as the interface between the businesses and IT, to drive understanding and coordination among stakeholders).

Security Test Factory is a very successful offering and captures 80% of spending among Application Security’s multi-year contracts.

Tech Mahindra’s Application Security sub-practice remains optimistic about the potential for multi-year contracts, with security having become a top priority for client organizations. Lack of skills are another driver, as well as lack of knowledge of the relevant hacking software tools. Application Security points out that clients tend to use traditional enterprise software products for ethical hacking. Yet Application Security’s research shows that attacks are carried out by hackers using software found on Darknet, or open source software, and require skills that most clients do not have internally.

What is the future like for Tech Mahindra’s Application Security? Digital is obviously on the agenda. The sub-practice has launched two digital flavors of its Security Test Factory: DevOps and IoT. With short development lifecycles, DevOps requires further investment in security testing automation and industrialization. Meanwhile, IoT mostly requires security assessments at the user interface level for connected devices, and remotely for sensors.

By Mike Smart and Dominique Raviart