Skip to main content
September 19, 2014

Is Protecting Against SQL Injection (and Other Issues) Worth $2.6 Million?

What Is the Cost of Protecting Against SQL Injection?

It's not exactly earth-shattering news: businesses like having (and making!) money. And it's likely no surprise that many companies achieve that goal in part by handling their operational costs as efficiently as possible. Whether they're selling cheeseburgers or slinging software, close attention paid to the cost of doing business is a calling card of successful organizations.

Unfortunately, this basic need for businesses to maximize profits comes at a price. Take, for instance, software security assessments: One IDG study found that 63% of enterprise-developed apps aren't checked for common vulnerabilities like SQL injection — and that, on average, a company would need to spend an additional (and highly unrealistic, at least in most cases) $2.6 million to get their offerings up to speed.

That's a scary thought on a whole lot of levels. Even if you forget the security side of things — and you definitely shouldn't, considering the data a person could access with a simple SQL injection alone — $2.6 million is a ton of dough. Whether you're a CFO or you just report to one, that's the kind of money that gets people laughed out of offices: Sure. Let me just bust out my checkbook. Go ahead and buy yourself a pet unicorn while you're at it. You've earned it.

A Reintroduction to Agile (and Automation)

Let's shift gears for a second and talk about Agile development practices. By name alone, every set of methodologies under the Agile banner exists to make things move faster and more efficiently on the development side. No matter how you choose to interpret that, spending less time on something means spending less money on it.

A big part of these time/money savings come from eliminating so-called "baked-in" down periods from the software development life cycle. You know the story: Engineers, testing personnel, and everyone else involved in the creation of an app cost money to employ. Watching them sit and twiddle their thumbs while they wait on the newest build or resolution for the latest show-stopper, especially if you're responsible for their checks being cut, is like torture.

The solution? For many of these problems, it comes down to automation: saving costly human intervention for things computers aren't able to do whenever possible.

Why not take that same mindset and apply it to security testing?

Automate the Costs Away

The more aspects of an app's security testing you can automate, the better off you and your end users will be. That's doubly true if you're not doing much testing to begin with — that is, if your apps are among that aforementioned 63 percent.

You've probably heard about the importance of preventative security measures many times over. Here, they quite literally help from every angle. Automating app security makes end users (and their data) safer than not testing at all. Your company is a lot less likely to deal with the nightmare that is fixing security issues after the fact. And on top of all that, you save cash, since automated testing is more likely to give you a nicer ROI than that $2.6-million figure we were tossing around up top.

Of course, there's no accounting for every single security issue that hits the block. But there is a major difference between encountering some new, terrifying exploit and making sure your product is secure against known, avoidable ones. Automated security testing can help with both, but it excels at the latter. Trust us: Being compromised by something like SQL injection in this day and age is pretty much the definition of being caught with your pants down.

Outside Hardware, Expert Knowledge, Your Product

Security doesn't have to be a hassle, a drain on manpower, or (perhaps most importantly) a waste of dough. Nor does it have to beat up your existing development processes. Better yet, this stuff can be done on off-site hardware (that's what clouds are for), all of it managed by people devoted to app security. If anything, the flexibility and scalability of today's security services mean you can integrate proper testing measures without them getting in the way of your existing products' life cycles.

But it does need to be dealt with, especially on the testing end. Not having an extra $2.6 million under the mattress is one thing; failing to look at alternative options and services in the name of saving dough is another entirely. Whatever your motivations or your company's financial goals, there are countless affordable ways to take a preventative outlook these days — make sure you're looking into some of them.

Photo Source: Wikimedia Commons

Evan Wade is a professional freelance writer, author, and editor from Indianapolis. His time as a sales consultant with AT&T, combined with his current work as a tech reporter, give him unique insight into the world of mobile/Web security and the steps needed to properly secure software products. Follow him on Twitter.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.