My "Infrastructure vs. Application Security Spending" post must have struck a nerve. I've received a number of comments and emails where it's clear many are grappling with the same organizational budgeting challenges. Sharing these individual experiences help us raise awareness and gain new perspective on things that might work to our advantage. I sought permission to share the content of such insightful email from a Director of Product Security for a large publicly-traded company.
"Good post. It's something I've been preaching at *redacted* since day one. Our business relies on protecting our customers data. Why spend significantly more money on protecting our internal networks then on our product. I've won that battle, but given our security team started from network IT Security guys, that's where the money was spent.
A couple things I thought I'd pass along which you didn't mention, but I'm sure you've though about:
1. Service providers are going to spend money where their customers want them to. If their customer's security teams are all network guys, then the service provider is catering it's "security budget" to those guys. It still befuddles me in this day and age that we get predominantly more nCircle/Qualys/Nessus scans than we do application assessments from our customers. It shows though too in the compliance arena…if the people auditing your company have been baptized by compliance, then the service provider will cater to that. Unfortunately there's way more auditors who look at compliance and network security then application level security.
2. I think the comparison of network/host security vs application security shouldn't equate (right now). Because of the maturity of the market, there are less tools that are practical to rely on. As such, the curve should focus more on people (training, processes, and security staff) then on tools. I'm not saying the tools can't /don't do a good job, I'm just saying that right now they're not sufficient and in general more staffing resources need to be involved. To use an internal example, the fact that all R&D staff at *redacted* go through security training, perform security work every sprint, use secure frameworks, tools, etc, isn't captured by the numbers…and frankly is more valuable than us spending another 100K on a few more licenses of AppScan or WebInspect.
I think it would be really interesting to compare the costs of some of these products vs the benefit they provide. I just find it terribly funny that a Burp license costs ~$200, while running a product like DB Monitoring would costs hundreds of thousands or even millions of dollars in a large data center. That said, customers ask for things like DB Monitoring - because, you know, the five DBAs are more likely to steal their data then the thousands of malicious hackers out there ;-)
I'm not old enough to know…but, I bet the network security guys cracked on how the physical security guys got all the budget way back when. Evolution…"
If you got a story to share, please do!