How much should an organization spend on application security? Cybersecurity experts are often willing to break budgets when it comes to protecting critical applications, arguing that prevention is worth millions in cure. Meanwhile, C-suite executives are often less convinced by this kind of proactive thinking, instead opting to spend on AppSec only when demonstrable threats are on the horizon.
So what's the magic number? Is there a perfect way to maximize investing in AppSec, or is staying safe simply a matter of personal preference?
Before deciding on optimal spend, companies must first figure out what qualifies as "application security." As noted by a recent SANS white paper, entitled "2015 State of Application Security: Closing the Gap," the OWASP Top 10 is far and away the most-used standard for measuring app security and compliance, with 65 percent of enterprises opting for the Top 10 compared to just under 20 percent using the ISO/IEC 27034 or NIST 800-53/64 standards — but why?
In large part because the OWSAP guidelines are short and simple. In addition, most SAST and DAST tools report vulnerabilities in alignment with Top 10 categories. This standard is also referenced by other regulatory mandates such as PCI DSS.
Unfortunately, there's a company-wide disconnect when it comes to the perception of AppSec. When asked, 47 percent of those surveyed by SANS said their AppSec program needed improvement, whereas just under 40 percent felt their internal offering was above average. Interestingly, this number jumped by 10 percent when respondents were asked to compare their organization's IT security to another, similar firm. So, despite a lack of concrete evidence, there's a sense of "false confidence" that companies are less vulnerable than competitors.
But that's not always the case, even for big companies. Dark Reading offers an example of AppSec gone wrong in the form of Facebook Messenger. Not only did the company compel users to download a new app just to send messages, but it also mined all data from this application for analysis. Consumers were justifiably unimpressed with the intrusion, while tech experts expressed concern over the security of the new app itself. Forensics researcher Jonathan Zdziarski said the program "appears to have more spyware-type code in it than I've seen in products intended specifically for enterprise surveillance."
With varied perspectives on the effectiveness of application security, how do companies decide where investing in AppSec makes the most sense? It all starts with setting priorities. According to a recent study from the RAND Corporation, organizations must first determine the preference of safeguarding the perimeter or focusing on protecting internal network systems.
It's important to consider the threat landscape as well; many organizations now face adversaries whose defense techniques are very familiar and who think somewhat creatively to access vulnerable apps. Lastly, firms must consider the biggest liability when it comes to data loss or compromise: a loss of reputation, which, for many, is more impactful than the theft of intellectual property.
According to SANS, this often leaves companies in states of confusion. Just over 34.1 percent of respondents said they didn't know how much their company was spending on AppSec, and the definition of AppSec spending varied both across enterprises and within enterprise silos. The study suggests that although there's no hard-and-fast rule for investing in AppSec, companies "should probably be spending more than they are today."
Finding the ideal number, however, demands a critical look at the enterprise IT landscape: How do tools really stack up against increasingly sophisticated malware? Which apps form the core of company priorities? And what's the biggest risk if applications are compromised? Armed with this data, it's possible to create an AppSec budget that makes solid financial sense and offers effective protection for both outsourced and in-house app development.
Want to learn more? Download the white paper and find your number.