I was having a chat with our CFO by the Keurig machine and he said something I thought was interesting – that one of the things the CFOs of public companies worry about the most is surprises. Surprise, you woke up today and found that 10% of the value of your company is gone because confidential customer information was made public. Surprise, the FTC is knocking on your door asking for a forensic security audit. Surprise, your largest investors are calling about the scope of the breach and what it will cost the company. Surprises like those drive the financial arm of public companies to perform unnatural acts to recover the value of the company. Avoiding those unnatural acts makes risk management a top of mind issue for most CFOs in public companies. That conversation got me thinking about how a CFO might look at Veracode’s State of Software Security (SOSS) reports – especially the latest supplement that focuses on public companies. It seems to me that SOSS gives CFOs some raw data to start understanding the bets the company is making with their application development and application sourcing processes.
For example, 84% of web applications from public companies were found to be vulnerable to web application vulnerabilities listed in the OWASP Top 10. While our report looks at the prevalence of a wide variety of flaws, this statistic is telling because it focuses on the most easily and frequently exploited web application vulnerabilities – the ones that have flashing neon signs saying “WELCOME HACKERS, ENTER HERE.” This statistic is saying that if a typical web application is deployed without going through some sort of security quality checks and mitigation, then there is a higher probability of surprises for a CFO. Our analysis further showed that public company revenue has no bearing on application security performance against industry standards, proving that improvements are needed across companies of all sizes. What this means is that public companies of all sizes are making bets that there will be no CFO surprises once the applications are live. Given what we’re seeing in the public company SOSS data, those bets are long-shots that would give any CFO ulcers. So one of the things we’re working on with our business consulting partners is A Financial Model for Application Security Debt which we hope will eventually help CFOs get a better handle on modeling the monetary risks of their software vulnerabilities.