/jan 10, 2017

What’s the Worst That Can Happen? The Cost of a “Wait and See” AppSec Plan

By Suzanne Ciccone

In a previous blog post, we talked about the cost of a “do nothing” AppSec plan. In that blog post, we pointed out that ignoring application security can be a costly move. Why? Because your chance of a breach is very high, and so is the cost incurred from most breaches. In addition, you could now face regulatory fines by ignoring application security.

But a “wait and see” AppSec plan is also a costly proposition. We talk to a lot of companies that know they need to start an application security initiative and don’t want to “do nothing,” but instead opt for a “waiting” AppSec plan – waiting for more budget (we find many companies struggle to justify application security spend), waiting for increased awareness and urgency from management, waiting until a breach? But a “waiting” AppSec plan can often be just as costly as “doing nothing.”

Application security doesn’t happen overnight

Your application landscape is extensive and complex; you aren’t securing it overnight. We typically work with customers to start small and with the most critical vulnerabilities, get a quick win and expand the program over time.

In most cases, our customers secure all their most critical applications in less than two months, and are protecting additional tiers of applications within 12 months. By year two, most have a fairly mature application security program with continuous testing and remediation points.

The bottom line is that your application layer won’t be completely secure right away. If your plan is to “wait six months” – keep in mind that that translates to at least two years and six months before a mature program.

But you can lose customers overnight

If you’re selling software, and your customers and prospects aren’t asking about security, they will be soon. In fact, recent ESG research indicates that many enterprises are taking a more proactive approach to cyber supply chain security—nearly half (47 percent) of critical infrastructure organizations surveyed say that they always assess the internal cybersecurity processes and procedures of their strategic software vendors as part of their IT procurement activities, and 44 percent assess the internal cybersecurity processes and procedures of their strategic software vendors on an as-needed basis. 

Do you have customers in the financial services industry? They are under regulatory pressure to ensure their suppliers' software is secure. They will certainly be asking about security, thanks to emerging guidance and regulations like PCI 3.1, OCC Bulletin 2013-29, NIST 800-53, the Monetary Authority of Singapore's Technology Risk Management Guidelines, and others.

And if a competitor is promoting the security of its product, it quickly becomes a more appealing option to your customers and prospects.

Cyberattackers aren’t waiting

Cyberattackers know that the application layer is the final frontier. They know enterprises can’t keep up with their proliferation and are continuing to leave them insecure. That’s where they’ll be focusing their energies, and in turn, it’s where you should be focusing yours.

Consider what happened  with one healthcare organization when Heartbleed was disclosed. Although the organization was aware of the OpenSSL vulnerability, it was not able to find and update all versions of the component before hackers were able to breach it through the Heartbleed vulnerability. Cyberattackers move fast when they see an opening, and you won’t be able to keep up. Only with a proactive approach will you have a chance of thwarting them.

In the end, a “wait and see” approach will leave you vulnerable for longer than you might think, and could cost you in lost business or breach recovery. It’s a whole new digital world, and a whole new way of thinking about security is required. Where do you start? Find out from someone who's been there in our new guide, From Ad Hoc to Advanced Application Security: Your Path to a Mature AppSec Program.

Related Posts

By Suzanne Ciccone

Suzanne is part of the content team at Veracode, working to create resources that shed light on AppSec problems and solutions.