Skip to main content
December 19, 2016

What's the Worst That Can Happen? The Cost of a "Do Nothing" AppSec Plan

Do you think you don’t need application security? Maybe you think application security is too complex, or too expensive. Maybe you think, we haven’t been breached yet, what are the chances? And even if someone tries, we have a WAF.

It might seem more cost-effective to simply “do nothing” rather than invest in application security. But you should be aware that there is indeed a cost associated with “doing nothing” when it comes to application security.

Chance of a breach is high …

You do have a good chance of suffering a breach through the app layer – no matter your size or industry.

Verizon recently studied 2,260 confirmed data breaches across 82 countries and found that 40 percent resulted directly from web app attacks, by far the largest category. In addition, according to Akamai’s Q3 2015 State of the Internet Security Report, attacks at the application layer are growing by more than 25 percent annually.

… so is the cost

A recent blog post on observed that “the average consolidated total cost of a data breach is $3.8 million. With each lost or stolen record costing an average of $174, even 500 compromised payment records can exceed $75,000 in liability for a breached merchant.”

And that’s a conservative number considering that breach-related costs include:  

  • Lost revenue: This might result from stolen corporate data, lowered sales volumes (if consumers get scared) or falling stock prices.
  • Money spent on investigation and cleanup
  • Cost of downtime: A recent Information Age article estimated that every hour of downtime costs businesses $100,000. In addition, time spent fixing a breach means time diverted away from development and innovation.
  • Brand damage: A recent Deloitte study found that security is the second leading risk to a company's brand, behind ethical issues and ahead of risks related to safety, health and the environment.

A breach is not the only cost

Many regulators, in many different industries, now require some application security controls be put into place. And with the increase in breaches through the app layer, they’re paying closer attention to application security controls.

Regulations that now require application security controls include:

  • NIST
  • MAS

What’s the cost of failing to comply? Here are two examples:

Network security not protecting your app layer

You might think you are “doing something” to protect your app layer if you’re relying on network security solutions, but, in fact, you are “doing nothing.” Protecting the network layer is not the same as protecting the application layer, and network solutions do not protect your organization against application-layer attacks.

But most organizations continue to focus their budgets on blocking attacks at the network/infrastructure layer, while neglecting today’s real threats. Cyberattackers know this and are taking advantage of the insecure app layer.

A web application firewall is not an adequate application security solution either. Firewalls were designed to handle network-events, such as finding and blocking botnets and remote access exploits. Some can address application-level events — but not as well as application-layer solutions, and only with significant effort to configure and monitor them. Ultimately, they don’t fix application-layer vulnerabilities, but rather, simply mitigate them.

Effective application security requires an application security program that involves multiple technologies designed specifically to assess the security of the application layer, and addresses the security of applications from development through to production.

“Doing nothing” is not a cost saver

Neglecting to address application security will not save you money. In fact, it will cost you, most likely a significant amount, in the future. Applications play a pivotal role in today’s digital role, and need a correspondingly pivotal place in your security plan.

How do you get started? Find out from someone who's been there in our new guide, From Ad Hoc to Advanced Application Security: Your Path to a Mature AppSec Program

Suzanne is part of the content team at Veracode, working to create resources that shed light on AppSec problems and solutions. 

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.