Buy vs. Build: Application Security Solutions

In the world of application security, there are numerous options in the marketplace for both buying and building. Purchasing a centralized API security solution isn’t cheap but it can be less expensive than building your own, depending on your situation. There are three primary factors that will help determine the best approach for your organization:  (i) The number of application security policies needed  (ii) The nature of your applications  (iii) Resources and timing.  In this blog post, we will look at these three critical factors in detail to help you determine which API security path is best for you.


The number of application security policies needed

This might seem obvious but the number of security policies needed is one of the easiest factors to help determine which option is best for your company. The math is pretty simple, the more applications you develop, the more security policies you will need. And, the more security policies needed, the longer it will take to code them. Configuring a security policy through a centralized API Security system takes much less time than building it from scratch. The key is to figure out the threshold where it makes more sense to buy instead of building them yourself.

It’s also important to consider your product road map. Are you planning to dramatically increase the number of applications being developed? That will likely influence your decision.

The nature and use of your applications

How many of your applications will be integrating with other applications? Are those other applications internal or external? The ease of creating integrated applications has allowed developers to quickly build rich and powerful programs but it also increases an application’s exposure to breaches and other security risks.

It’s important for organizations to look at the type of information that is at risk and what are the consequences if their application is breached. For example, a company that stores PII (Personally Identifiable Information) in their application should be much more cautious than an online forum that stores email addresses and usernames. The company that stores PII should see a lot more value in a centralized API security solution and would likely work with an outside vendor rather than building and maintaining the policies in house.

Resources & Timing

Let’s say you wanted to code your own security policies, does your development team have the necessary skill set and bandwidth? How long will it take them to define and code the API security policies? Building will probably require a project manager or product manager to lead the process. If you ask any seasoned product manager or developer, defining and building usually takes longer than originally anticipated. Hiring new team members also takes time and money – finding the right people isn’t easy! There’s an opportunity cost to be evaluated when looking at the time it takes to properly staff and build vs. working with a vendor but we will go over that in a future blog post.

Organizations also need to consider the cost of maintenance: is your organization willing to dedicate someone’s time to updating and maintaining your in-house security policies? If you saved time by hiring contractors to build the security policies, are you willing to keep them on staff to keep up with the maintenance?

With any major infrastructure decision, there are pros and cons to each side. What’s important is to look at both sides and decide what’s best for your company. These topics and criteria are some of the main items that need to be considered. If you’ve gone through this process, share in the comments what other factors should be included in the buy vs. build analysis?