Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Preventing broken trust

Managed services can help fill a critical role in application security

Trust is the ultimate business enabler

Maintaining stakeholder trust is akin to protecting a fragile vase. Cracks, even if aesthetically repaired, can compromise the integrity of its structure.

The same principle applies to application security. Failing at a critical moment—like ensuring data security or complying with essential regulations—can erode the trust and reputation a company has worked hard to earn.

After all, when it comes to bold business transformation, trust is the ultimate business enabler. When you win the trust of customers, regulators and other stakeholders, it gives you the permission to advance the business with confidence—whether it’s launching new mobile apps, cloud platforms or other technologies.  

The key is to harden the environment for resilience. Consider these approaches:

1. Reduction of the application attack surface

To prevent vulnerabilities, it’s important to have a process for attack surface management, including asset discovery, the decommissioning of redundant assets, and the centralization of functionalities. An effective process requires the involvement of application teams, systems teams, security champions and others who are responsible for the assets.

For example, to reduce the attack surface on a customer-facing application programming interface (API), your enumeration and discovery process might identify API endpoints that application teams are not aware of and could be exposed to attack. From there, you can work with the asset owner to determine which endpoints should be public-facing and which should be decommissioned.

You can also determine which functionalities are redundant and can be consolidated. Fewer APIs and endpoints mean fewer public-facing assets to protect.


2. Proactive security testing

Another key prevention strategy is the integration of security in development pipelines and processes. That should include not only tooling but also training, enabling development teams and systems teams to keep their assets current with enterprise security standards and best practices.

In addition, these teams should actively partner with security to identify sensitive assets that should be tested at a more regular cadence and with a greater level of scrutiny.

For an example of integrated security in a DevOps pipeline, envision a robust e-commerce application. Security should be a part of each stage of the development lifecycle:

  • Before the app is in a running state, the code base should receive static application security testing (SAST), with results imported into a centralized vulnerability management system. This centralization can prevent the kinds of issues often identified in asset discovery.
  • Once it reaches a running state, the app should receive dynamic application security testing (DAST).
  • As it nears a production release, it should receive more comprehensive manual penetration testing, which validates that the business logic is sound and free of glaring weaknesses.
  • Finally, once the application is mature, with a regular release cadence, the development pipeline can leverage the integrated DAST, SAST, and vulnerability management systems to block code pushes that have severe vulnerabilities.


3. Collaboration for resilience

With similar methods, progressive security organizations are earning and maintaining stakeholder trust. And as part of their approach, many are enlisting managed services providers with domain experience.

No matter how hard you work to fortify your vase, there will always be bad actors looking to shatter it, and they continue to grow in number and sophistication. The security teams that succeed will form a united front—collaborating with system owners, application owners, business owners and external providers—to defend stakeholder trust.

How KPMG can help

KPMG offers end-to-end security testing as an outcome-based managed service, helping you consistently validate controls while minimizing remediation efforts. That’s because business transformation is not a fixed destination; it’s an ongoing journey. With managed services, we help you continually evolve your business functions to keep up with ever-changing targets, while driving outcomes like cost reduction, resilience, and stakeholder trust. Learn more.

Meet our team

Image of Evan Rowell
Evan Rowell
Specialist Director, Market Development , Advisory, KPMG US

Subscribe to Going Beyond: Managed Services

See our latest thinking on how managed services can help you drive transformation at the speed of business.

Explore other services tailored to your business

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.