EOQpanic

Mid Market AE

Application Security Testing Proof of Concepts

any tenured AppSec people here?

in two large PoCs where I'm hearing two different but equally difficult demands from my DM/champion (yes the PoCs are a must, they happen 99% of the time for appsec testing solutions):

- I want you to test an in-house vulnerable app we built to see what your platform finds (nightmare zone)

- I want you to configure 1 billion workflows with your automated solution for the PoC and show us proof (impossible, takes 1000 hours, will break)

any ideas? we already have a few, but curious what outsiders have to say. I'll send you a cookie in the mail if you help.

🔐 Cybersecurity

👓 Deal Reviews

😎 Sales Skills

8 comments

Sort by:

JustGonnaSendIt

Politicker

Burn Towns, Get Money

I sell appsec. I have been in this situation.

2 things I would do to chisel down these requirements.

1 - Send them your list of vulnerabilities that your solution tests for. We have a website for our solution that goes into this by vuln category and language.

However, testing a known vulnerable app that exists in-house for the purpose of comparing solutions is totally normal for this space.

2 - Constrain the workflows to a few key high-value workflows. This will both accelerate the POC and cover 80% of the value.

Net-net not everyone will be your customer. If they don't want to work with you, respect your resources, and be reasonable, just imagine how demanding of a customer they will be if they actually sign up.

1 Billion workflows sounds like it's surely exaggerated. I work in the enterprise space and at best, most of my customers have a workflow count in the 1000's.

If you have follow-up questions for me, it would be helpful to know who you are dealing with (role of buyer / POC lead from customer) and the deal size / customer size. I feel like you may need to get higher in the power structure to get to someone that can comprehend the ask in terms of your corporate resources and why it's nonsensical.

And no, I'm not going to use my Google Fu to try and figure out who your prospect is lol.

EOQpanic

Executive

Mid Market AE

Thanks for the reply. 1. I know my company is extremely touchy about sending our list of vulns/tests…but more so on the testing side. We are early stage and this is our secret sauce.
Also, I wasn’t clear. This is an unknown vulnerable app. XYZ high profile very advanced software company built this on their own extremely custom to look at different manual and automated test results. Not a public app or an app that does anything at all. I responded and said hey guys, you work at XYZ and I know for a fact that you can build an app with no functionality that could hide a vulnerability against an automated solution, and we all cracked up laughing. So I gained some ground there, but we’re getting back into the eval after the holidays with the expanded team and stakeholders soon and I feel as though they’re going to want something along the lines of either a list or their custom PoC. I will need to figure out how to deliver them something satisfactory for that. Also very competitive opp. 7,000 person software company, sr. Manager of appsec, 5-10 appsec people, a few pen testers.
2. Yes, I exaggerated. They are looking for one workflow. But, we are assessing their very complex fintech mobile app that has features that break automation. We are assessing the app during runtime. Not sure if you’ve dealt with dynamic mobile appsec but shit starts breaking with automation super easily after authentication. I brought in an exec because this is a high profile fintech company west coast and he talked about how we can have really high touch, deep, configured automation so now we’re stuck in our own pile of ****. Not bringing in that exec again. Working with VP of appsec, few other security engineers and a main sr appsec engineer

JustGonnaSendIt

Politicker

Burn Towns, Get Money

This is super helpful to understand your situation.

I think the answer is simplifying the requirements list. Talk with them honestly about how much effort and time this is going to take (which will delay their ability to implement something).

See if you can contain / rationalize the POC need into something simpler. I agree, dynamic mobile is a mess. At my company we have a similar issue with manual effort required on some detailed mobile testing.

On the vuln side... I know it SEEMS like secret sauce, but all of the big players in Appsec run with an open playbook in terms of their capabilities. Generally, vulns are all publicly disclosed when discovered (CVE XXXXX)... you should have a list of supported technologies (languages, etc...) and a list of supported types of vuln. You don't need to give the complete list of every vuln, but more the categories of vuln you scan for by language / framework.

braintank

Politicker

Enterprise Account Executive

Tell them no.

Or make it a paid PoC.

EOQpanic

Executive

Mid Market AE

I should have been more specific—we sell appsec testing solutions. So there’s always a proof of concept “app assessment” from the mid-market and up

EOQpanic

Executive

-1

Mid Market AE

AssistantToTheRegional

Politicker

Enterprise Account Executive

Limit your POC to X amount of workflows.
I am not in app sec but I am in cloud sec and the POC is a must for me as well but you must limit scope creep while still proving value.

braintank

Politicker

Enterprise Account Executive

Same (cloud sec)

CuriousFox

WR Officer

🦊

Cybersecurity is definitely a market I love reading about.

Bravado is a community of trusted sales professionals endorsed by their customers.

Products

The War Room Jobs Salary Guide Tech Sales U

Company

About Us How It Works Blog Bug Bounty

Contact

Press Careers

If you are hired as a contract sales rep by a Bravado customer, we may ask you to prove access to the employee email account provided to you by that customer. This data will be shared with customers to track your sales productivity; customers can use this data to confirm you meet the minimum activity requirements to pay out your ramp stipend and commission.

EOQpanic

Application Security Testing Proof of Concepts

8 comments

Related posts

How would you explain the features of a complex piece of software to a prospect who is not as well-versed in technology?

Software Vs Services Sales: Which is better?

Selling niche software vs general software?