This post is the last in a 5-part series on Application Security, or “AppSec”.
This blog post series has examined the growing threats to software, defined the components of a sound AppSec program, described an evolutionary path to AppSec maturity, and considered a number of tools and technologies worthy of investment. Ultimately, it is the Chief Information Security Officer (CISO) or equivalent’s responsibility to mitigate the enterprise’s level of software risk as part of a comprehensive infosec strategy. In this, the final post in this series, let’s review the return on investment possible from a sound AppSec program, including ways to build a business case for further investment in this critical IT security discipline.
The CISO must secure all three fundamental access points to sensitive enterprise information: the network, the hardware… and the software that support business operations. Yet, companies spend just 0.3% of what they pay for software on ensuring that it is secure (sources: Veracode Blog referencing Datamonitor/451Group material). Most enterprises have widely adopted IT security tools such as firewalls and intrusion detection to protect their networks as well as antivirus, access control and physical security measures to secure their hardware. In a 2011 Gartner study on top security priorities, AppSec still ranked a distant fifth after a variety of network security tools. First on the list: data loss prevention.
Ultimately, it’s up to the CISO and his or her security team to implement and verify the effectiveness of security measures – that includes AppSec disciplines such as software testing, vulnerability remediation and ongoing safe coding practices. Research and assembly of a solid business case analysis will help infosec make a better case for wide adoption of AppSec processes.
There are many sobering numbers that a CISO can employ to build the business case for greater AppSec investment:
- Costs of a Breach. The average cost of a single data breach has reached a staggering $5.5M per incident, or $194 per compromised record (source: Symantec)
- Loss of Revenue/Reputation. The costs of insecure software include both hard measures like lost sales, PR costs, customer issues – all of which figure into “total cost of recovery”
- Company Valuation. Consider the recent Global Payments breach: its stock valuation immediately dropped 9-13 percent on news of the incident
- Cost to Fix. Software developers have long understood that the cost of fixing an application vulnerability during the development or QA phases dwarfs the cost of fixing the same flaw once in production
- Cost of Compliance. When asked “how is security spending justified at your company?”, most C-level IT execs rely on legal and regulatory requirements (source: PWC). The threats of non-compliance, fines and litigation are still greater motivators than the threat of data loss for most companies.
Perhaps the simplest formula for computing the risk/reward was detailed by Chris Wysopal, CTO of Veracode. His basic financial model is (likelihood of a breach) X (potential impact in dollars) = (expected total loss). Event likelihood is based on the quantity and severity of vulnerabilities present in the software portfolio plus the likelihood that one of those flaws will be discovered and exploited. In a recent survey, 90 percent of organizations reported a breach by hackers over the previous year (source: Ponemon). One can uncover flaws in the software portfolio through a variety of testing and scanning tools. The rest of the model relies on imperfect but improving industry research data which track aggregate measures of total monetary risk.
As a sustained, systemic undertaking, an AppSec program is a cross-functional effort between the cybersecurity, risk management and application development teams. This reality makes funding decisions more complicated. Software methodologies and technologies are rarely standardized – even across an organization’s internal development teams – leading to competing agendas. However, new ROI models for AppSec are emerging. For example, a survey of outsourced application suppliers reveals a mix of licensing options that includes; per scan; per application; per flaw category; per developer; and time based pricing.
The key to positive ROI is to start small and scale over time. As we concluded when examining an AppSec Center of Excellence, any organization can get started with a basic software testing regimen and expand with success from a single application to multiple projects. Creating a successful deployment plan requires scoping all intended activities and associated hard and soft costs before rolling out a chosen tool, including all staffing considerations. Your organization must create its own recipe for the AppSec mix based upon your unique business requirements. On-premise install vs. in a cloud service? Licensed per-developer seat, per application, or enterprise-wide? Implemented by employees or expert consultants? Only your organization can answer these questions for itself.
The Case for Application Security: Conclusion
Ongoing and well-funded investment in network- and hardware-based security solutions have proven effective in protecting the hardware and network layers. However, these defenses are ineffective against hacks and attacks that exploit flaws within an organization’s software itself. Many enterprises still lack adequate investment in the protection of their critical software, the “front door” to their business. As a result, applications remain the most vulnerable entry point for malicious actors targeting sensitive or confidential data. CISOs must prioritize their investments in IT personnel, processes or technologies in alignment with the reality of today’s considerable threats to the enterprise. It’s time for increased investment in Application Security to protect the software that runs your business.
Learn more: Veracode blog: Application Security Debt and Application Interest Rates