Top 10 Ways To Win Budget For Application Security
Speaker: Chris Harget
Winning Budget
1. Where To Look
2. Who To Ask
3. Talking Their Language
4. Useful Proof Points
2 Cenzic, Inc. - Confidential, All Rights Reserved.
Survey:
Who is the hardest person to persuade to approve Application Security budget?
A) IT Director
B) CISO/CIO
C) CFO
D) Procurement
E) Other
3 Cenzic, Inc. - Confidential, All Rights Reserved.
There Are Lots of People Like You …Looking For Budget
4 Cenzic, Inc. - Confidential, All Rights Reserved.
“69% of 12,000+ IT professionals surveyed
believed that in 2013 Application
Vulnerabilities are the number one
security issue.”
-The 2013 (ISC)2 Global Information Security Workforce Study https://www.isc2.org/uploadedFiles/(ISC)2_Public_Content/2013%20Global%20Information
%20Security%20Workforce%20Study%20Feb%202013.pdf
Three Generic Budget Tactics
Justify more IT spend
Reallocate existing IT spend
Stretch existing App Sec spend
5 Cenzic, Inc. - Confidential, All Rights Reserved.
Application Development Team’s Crucial Role
“Secure software development is where the largest gap between risk and response attention by the information security profession exists.” -The 2013 (ISC)2 Global Information Security Workforce Study https://www.isc2.org/uploadedFiles/(ISC)2_Public_Content/2013%20Global%20Information%20Security%20Workforce%20Study%20Feb%202013.pdf
6 Cenzic, Inc. - Confidential, All Rights Reserved.
#10: Get Developers to Kick In Budget
Your organization probably has 5-20x more Developers than Security Analysts – Their budget is probably bigger too
App vulnerabilities can mostly be addressed by flawless coding
Developers might kick in budget for Licenses, Training, Security Posture Assessments
Bonus Tip: Browser-client power-user licenses cost 1/2 desktop software, and do almost as much
7 Cenzic, Inc. - Confidential, All Rights Reserved.
SQL Injection…
8 Cenzic, Inc. - Confidential, All Rights Reserved.
http://xkcd.com/327/
http://en.wikipedia.org/wiki/SQL_injection
…Can Take Down Your Data/Site
App Vulnerabilities Threaten Uptime
SQL injection can take down database (drop tables, remove users, dump db)
XSS can take down the app (insert javascript that could hit web server 100's of times for each user and spread like a virus) – (e.g., at Myspace XSS was used to keep adding friends until the
system went down https://www.owasp.org/images/1/1b/OWASP-AppSecEU08-Dabirsiaghi.pdf )
Buffer Overflow can take down the app, and can give hacker shell access
Session hijack can take over a users session (and if it was an admin the hacker could literally turn functionality off or shut down parts of the system (e.g., Wordpress)
Production Team is measured by Uptime
9 Cenzic, Inc. - Confidential, All Rights Reserved.
#9: Get Production To Kick In Budget
For every app in Dev/QA, there are ~10 in Production.
– New vulnerabilities are discovered daily
– Apps can become more vulnerable after release
App vulnerabilities can result in downtime.
App testing/monitoring helps Production to ensure uptime
Production should continuously monitor apps and schedule them for patching, just as they do for OS, DB and Servers
10 Cenzic, Inc. - Confidential, All Rights Reserved.
#8: Shift Spend From Low to High-Risk Areas
Network Security is a mature space
– We’ve had firewalls, etc. for decades
Attackers are shifting to softer targets
Amount/value of data accessible via the Application layer has exploded
To get the most risk mitigation bang for your buck…
11 Cenzic, Inc. - Confidential, All Rights Reserved.
…your organization should rebalance spend to correlate to actual risk
Of All Attacks on Information Security Are Directed to the Web Application Layer
75%
Of All Web Applications Are Vulnerable >2/3
The Risk vs Investment Imbalance
Network Server
Web Application
% of Amount
Security Budget
10%
90%
% of Attacks
Risk
75% Web Layer
25%
#7: Plant a Seed Far in Advance
Budget cycles are some times long and rigid
Easiest method is to put a placeholder in for a comprehensive app security solution
Plan B: at least get the most important
apps covered, and request supplemental funds in a later cycle
13 Cenzic, Inc. - Confidential, All Rights Reserved.
#6 Quantify The Risks
Assign Value to:
Data exposed by apps
Uptime for web sites
Brand/trust
Useful Risk Calculator (gives $ range score)
https://www.web-app-security-risk-calculator.com/
14 Cenzic, Inc. - Confidential, All Rights Reserved.
Sample Risk Costs
PR Bill for Breach ~$900,000
Cost Per Record Stolen $294
– Usually, thousands or millions of records stolen
– Sony spent >$1Billion
Intellectual Property Loss
– Depends on IP future value to you
15 Cenzic, Inc. - Confidential, All Rights Reserved.
Intellectual Property Loss
Cyber Espionage has been pointed to as part of how Chinese J-20 fighter jet is catching up to US F-22
= $Billions in potential IP theft
16 Cenzic, Inc. - Confidential, All Rights Reserved.
#5:Show Comparative ROI
1. Get low-med-high $ risk range
2. Get a rough quote for protection
3. Standard ROI Formula
1. Get 3 numbers for ROI range
17 Cenzic, Inc. - Confidential, All Rights Reserved.
= (Cost)
%ROI (Gain – Cost)
$700K, $1.2M, $3.6M
~$100K
$(700K-100K)/$100K= 600%
600% 1,100% 3,500%
Consider Opportunity Costs
Your project’s likely benefits
18 Cenzic, Inc. - Confidential, All Rights Reserved.
Anticipated benefits from competing projects vs.
Implications
Relative ROI matters
Relative worst-case-scenario-of-doing-nothing matters
Benefits to WHO matters
#4: Make It Simple For Non-Technical People
To be useful, Web apps have the ability to interpret programming commands…which hackers exploit to steal data and deface or crash web sites
If an application allows this, it is called a “vulnerability”
>5,000 kinds of vulnerabilities discovered
To find and patch vulnerabilities we need Dynamic App Security Testing solutions
19 Cenzic, Inc. - Confidential, All Rights Reserved.
Even More Simply…
Hackers use hidden Application commands to steal data and damage web sites. Scanning tools help efficiently find and patch these vulnerabilities.
20 Cenzic, Inc. - Confidential, All Rights Reserved.
Problem: CFOs Don’t Speak “Securitese”
CFOs speak cost-benefit, comparative value
– CFO’s are numbers people…Most security issues are nebulous, not quantified. No numbers, No ROI.
Solution: Use financial lingo
– “Risk Management”
– “We have a Fiduciary responsibility to shareholders to take reasonable data protection measures”
– “Mitigating risk”
21 Cenzic, Inc. - Confidential, All Rights Reserved.
#3: Talk In CFO Terms
~75% of attacks now target Web Application Layer
– Per Gartner Group
$4.6 million damages on average from major attacks
– Per Ponemon Institute
Application Security Testing typically costs <1/10th cost of a major attack & reduces risk an order of magnitude
Application Security expenditures offer high marginal risk mitigation per dollar invested
This is a risk management policy, like insurance
22 Cenzic, Inc. - Confidential, All Rights Reserved.
#2: Compliance
Applies if you handle…
Credit cards – PCI
Medical Records – HIPAA
Financial Info – FISMA, GLBA, SOX, SB1386, FTC 16 CFR314, REG SP, PIPEDA (Canada)
Social Security #’s – SB1386
Security—NIST OWASP 2010
23 Cenzic, Inc. - Confidential, All Rights Reserved.
#1: Convince Them This Solution Will Do The Job
Nobody is comfortable making an uncertain purchase
They need assurance you’ve done your due diligence
There is an outline that helps
24 Cenzic, Inc. - Confidential, All Rights Reserved.
CIO Needs To Hear…
Problem to be solved
Significance
Why proposed option is best
Assurance we can execute
Potential issues and how we’ll overcome
Expected outcome & metrics
25 Cenzic, Inc. - Confidential, All Rights Reserved.
CIO Pitch Example
Research shows >90% of Web Applications are vulnerable to exploits…
…which can result in Millions of dollars of data loss, downtime, revenue hits and brand damage.
Application Scanning tools will let us find and fix vulnerabilities (in Development and Production) before bad guys do, and manage risk.
Cenzic is a leading enterprise solution, focused partner, & good value.
If threat or need changes, Cenzic’s breadth and services offerings keep us covered.
Success Metric: Vulnerabilities will be identified, ranked, and methodically reduced, such that we drive down net HARM™ scores (App risk scores)
26 Cenzic, Inc. - Confidential, All Rights Reserved.
Top 10 Ways to Win App Security Budget
10. Get Developers to kick in
9. Get Production to kick in
8. Shift from low-risk to high-risk areas (e.g. from Network Security to App Security)
7. Plant a seed well in advance
6. Quantify the risks
5. Show comparative ROI
4. Make it simple for non-technical people
3. Talk in CFO terms
2. Compliance
1. Convince them this solution will do the job
27 Cenzic, Inc. - Confidential, All Rights Reserved.
Top 10 Ways To Win Budget For Application Security
Speaker: Chris Harget