Tuesday, January 11, 2011

The Application Security Spending Conundrum

Recently I needed to purchase automobile insurance. To obtain a quote, the online insurer asked my age, where I lived, how much I drive and where, the year, make, and model of my cars, about my driving record, and how much coverage I wanted. Behind the scenes, they likely took these data points, applied them to some vehicle claim actuarial data, and presented me with a rate based upon MY effective overall risk score. The process made sense, the price was fair, and I ended up buying.

This got me thinking. What if instead the insurer had said, “We’ll give you the same coverage as everyone else who applied, add some protection for a new, obscure, scary-sounding road hazard, and bill you 15% over last year.” Without taking anything about at all about ME into account, it would seem that there was no real risk management involved in their decision-making. As a consumer, I would reject this offer. Clearly this makes zero sense. Ridiculous as this scenario sounds, isn’t this fairly similar to the process of creating information security budgets?

Gunnar Peterson explains it best, “Security budgets are often based on a combination of last year's spending, this year's threat(s) du jour, and "best" practices, i.e. what everyone else is doing. None of these help to address the main goal of information security which is to protect the assets of the business. The normal security budgeting process results in overspending (as a percentage) on network security, because that's how the budget grew organically starting from the 90s.”

I agree and I think this is precisely why we see so many organizations spending a larger percentage of their budgets protecting their networks and infrastructure, as opposed to their applications, where the largest chunk of IT dollars are invested. In Gunnar’s words, “...they are spending $10 to protect something worth $5, and in other cases they are spending a nickel to protect something worth $1,000. If you look at the numbers objectively, you see why it is out of control...” Worse still, this budget misallocation persists despite real-world data revealing where the real threats are (at the application layer, Verizon’s DBIR) and in stark contrast to the infosec pros’ own stated priorities.

A survey conducted by FishNet Security of IT pros and C-level executives from 450 Fortune 1000 companies found that: “45% say firewalls are their priority security purchase, followed by antivirus (39%), and authentication (31%) and anti-malware tools (31%)." The report goes on to say, "Nearly 70% [of those surveyed] say mobile computing is the biggest threat to security today, closely followed by social networks (68%), and cloud computing platforms (35%). Around 65% rank mobile computing the top threat in the next two years, and 62% say cloud computing will be the biggest threat, bumping social networks." This is pretty funny because Mobile, Social Networking, and Cloud attacks specifically bypass those firewall investments.

To resolve this spending conundrum, and begin closing the application security gap, I see two option:

1) Information security professionals must align their investments with business priorities, which is what Gunnar wisely advocates. He says, “the biggest line item in [non-security] spending should match the biggest line item in security.” In almost every enterprise, this would mean redirecting network security dollars to application security. Even if this approach makes perfect sense, there is no question budget re-allocation would meet fierce opposition. Nothing less than a paradigm shift in thinking, culture and regulatory design would allow this to come to pass. Unfortunately, I think it is nearly impossible for the masses.

2) Information security professionals would need to convince management to approve new additional budget dollars specifically for application security, without reducing other budgets. Ideally, these application security investments could be justified directly or indirectly to increased revenue or reduced costs. Ask yourself, how might application security investments contribute to new customer acquisition? Can the business increase its differentiation? Obviously this won’t solve the spending inefficiency conundrum, but we might be able to gain ground and close the gap using this approach. To do so we need more case studies and benchmarks to demonstrate how other organizations are investing.

Fortunately, from an industry perspective, these choices are NOT mutually exclusive. Each organization will of course have to find its own path. In a future post I'll list out ways I've seen organizations justify application security budgets. In the meantime, if you have ways that you've found successful, comment below!


securityninja said...

I think this comes back to another discussion we have had recently via Twitter (re OWASP/proving business need).

I've been successful in getting not just an equal budget for app sec but a larger staffing budget than for our Infrastructure security. This didn't come easy, this is the end product of probably two years worth of work and proving just why this was needed. But because I sat down and thought about the business need for app sec its now in place, its funding properly and is a board meeting agenda.

Talking about SQL Injection to a CEO/COO is going to get you no where, talk to them in their language, talk to them in terms of risk, PR impact, financial impact of a breach and leave the FUD and technical jargon at the door you will soon see a change in attitude. As long as people keep trying to push app sec needs up the chain because requirement 6.5 lists the OWASP top ten (not v2.0 but the "horribleness" of the new standard when it comes to app sec is another days discussion) they will continue to fail.

I recall a conversation recently at an OWASP meeting where people were discussing how they used CVSS scoring for their app sec vulns, they were pulling their hair out and moaning about how the business weren't doing anything about these issues. I asked them how the rest of business approached risk and of course it was the app sec guys who were not in line with the rest of the business. KISS app sec, understand yourself why the business should take it seriously and build your case based on facts and present it in a format they are comfortable with, not something that strokes your ego.

I see many people in app sec positions who genuinely have no idea how to sell this to business properly, in fact no idea about app sec full stop in some cases. Infrastructure spending is higher because its seen as something needed to do business and to be honest it's probably considerably easier for "C" level people to understand. After all they need anti virus, a firewall etc at home so they can understand why they need that in the office/production. SQL Injections, XSS etc is alien to them and if you can't translate alien into their language you will forever be poor step child of Infrastructure security.

Jeremiah Grossman said...

@securityninja this is pure fsking gold! Clearly you've done it the right way, the way that makes sense to the overall business. This process needs to be packed up and delivered everywhere possible.

Any way you could turn this "story" into a blog post / presentation ... step by step program or whatever on how you got to this point? What roadblocks you hit? How you got around them, etc. This is clearly the kind of success story I've been talking about and the kind of thing that can move the industry forward.

securityninja said...

Yeah no problem, let me just check with work tomorrow if they are happy with me putting this out there and I will be back in touch.

I'd like to do it, I'm proud of what we have achieved (and when I say we I mean security, developers, QA and the business) and we open up our SDLC and projects to an external auditor every year. Not because a compliance requirements says so but because we understand the business impact of getting this wrong, we want to know where we can improve even if it's something small it's worth paying the invoice for.

When I look back now my hardest lessons were in year one, if I were doing this in a different company I'd approach the initial "push" differently but the rest I'd not change.

somebloke said...


I think you have some fantastically valid points here. There is a massive disparity in spending on app vs infrastructure security and as pointed out by one of your correspondents, this may be as much to do with non-use of business language when referring to app security threats when speaking with senior management as anything else.

However, the cynic in me keeps coming back to the fact that you are the founder of an organisation which specialises in app security products and services and therefore you kind of have a bit of an axe to grind here potentially if you see what I mean. Lets face it - increased spending on app security products and services potentially means an increase in your revenue.

This is in no way a sleight on you or your organisation and please do not take it as such, just what I feel to be a valid observation.

To put this comment into context, I received an e-mail today from Symantec which stated that an independent analysis which they sponsored found that their desktop anti-malware product was better then all the competitions. Not really very independent all of a sudden is it?

Jeremiah Grossman said...

@securityninja that last bit is all part of a good story. would be great for the summit as a take away for the attendees. doesn't matter if you have all the right technical answers, but no ability to sell it upstairs, which is the biggest problem we're facing currently.

@somebloke your observation is completely valid and I take no offense. As a vendor, I fully admit the bias. At the same time I wholeheartedly believe in the importance of application security and specifically the value brought by my company (have the data to back it up). Also, I wasn't always a vendor ya know. :)

Secondly, yes... I am jealous of the resources spent on other problem areas while the biggest one (appsec) receives little financial attention. Personally I'd prefer to have my bias question than my message flatly ignored. :)

Dan said...

So, this is probably immaterial to the rest of the post but...

Do you accept those numbers?

"Nearly 70% [of those surveyed] say mobile computing is the biggest threat to security today, closely followed by social networks (68%), and cloud computing platforms (35%). Around 65% rank mobile computing the top threat in the next two years, and 62% say cloud computing will be the biggest threat, bumping social networks."


I accept that is what they said, but, it seems almost totally disconnected from reality.

Jarrod said...

There is no way you can "get" budget without "taking away" from some other area of IT. This is called opportunity cost (basic economics).

The key point is to be able at least sell it internally to give execs the perception that they are receiving value for their money.

Funnily enough, appsec has a lot more capability to provide metrics for providing an ROI than many other areas of security.

If you work in appsec and want to get money, you have it a lot easier than many other guys in our field. (In short, no excuses :D).


- Jarrod

Jeremiah Grossman said...

@Dan: That's good question, for the most part "yes." Taking a top-down approach we only need to look how much revenue the network firewall and a/v companies generate as stated in their SEC filings. Those figures absolutely dwarf spending in any other area of security.

On the attacks, those are indeed the areas (technology) they say they are most concerned about. Look at all the top ten threats for 2011, all essentially say the same thing.

Jeremiah Grossman said...

@Dan: Here's another other reference from a year ago focused on the SBM space. Spending and risk concerns essentially the same from FishNet's survey.


Dan said...

Unfortunately, I suspect the risk concerns are more related to whatever "CSO" magazine tells them to think then to reality.

Looking into the actual Fishnet report; 25,000 people received the survey, 588 actually looked at it and of those 388 took the effort to complete it. So, what 1.5%? I'm not a statistician, but I'm not sure these numbers mean much.

Maybe the title should be, "Opinions of 388 random people who have time on their hands to fill out surveys" :)

So, if this is to be believed... When 70% of "Security People" get woken up in the middle of the night this year - their first thought will be, "I bet it's a guy on a cell-phone attacking our cloud from Facebook?" :)

Those 3 areas might be the things that "security people" are thinking about - since some are newer and some are gaining in popularity - they warrant some additional thought. But they are certainly not the greatest threats.

Or these interesting results are merely a reflection of the survey design. The options seemed to have been;

Social Networks
Data Center Virtualization
Wireless Infrastructure
Mobile Computing
Cloud Computing
Other (to which the responses seem, IMO, to be a lot more realistic)

I suppose we can meet back here in 12 months and see... :)

Unknown said...

The reason why "network security" or "network hacks" or "malware" is not on the list is not because they are not an issue but because we know how to protect against them and we are doing so.

Digging into the network security/ end-point security budget would be counterproductive.

Agreed that Application Security (and Data Security) have played second fiddle to network/endpoint security but that should get better as time goes on but without compromising network security which is still important.

Application Security said...

Application Security helps one in generation of security flaws & in this conundrum this has been explained nicely.