Penny Wise, Pound Foolish: Avoiding Security Spend Pitfalls

Tuesday, February 07, 2012

Fergal Glynn


Article by Zack Cronin

A Conversation with Wendy Nather

If your organization had an unlimited budget to spend on your enterprise security program, in what areas would you focus investments? Application security? Mobile strategy? Web Application Firewalls?

Wendy Nather from the 451 Group and Veracode’s CTO Chris Wysopal presented the latest research on enterprise security spend, and discussed how to “make the case” for security initiatives in a recent webinar.

This popular webinar also generated a large number of questions from attendees, and the highlights of the Q&A session are posted below. You can access a full recording of the webinar here.

For those of you who missed the webinar but still have questions or comments, we’d love to keep the conversation going, please leave your remarks!

Q: How would you recommend that security professionals engage the development community about security testing?

Wendy Nather: I’ve always been a fan of bribery myself, “constructive bribery”, pretty much anything that works. Make no mistake; what you’re talking about here is really a form of social engineering… it really helps if you sit down with the developers and show them that you have the same goals as they do, and show them that you can possibly be of help to them in achieving their goals.

If you do this they’re going to be a lot more receptive to any changes you’re going to ask them to make. Doing anything casually rather than bringing it down as an edict, starting slowly, getting to know them and their issues and applications, goes a long way as far as building a good foundation for working together.

Q: If WAFs (Web Application Firewalls) are as problematic as you say, why is this one of the fastest growing Application Security technologies? It seems like a WAF is a no-brainer to put up until you fix the underlying problem, isn’t it better than just being exposed?

Wendy Nather: You are absolutely right – it does seem like a no-brainer, and at least in our market place it is the fastest growing segment partially because it is so straightforward. It is a lot easier to buy technology than it is to go in and fix legacy code.

The problem is not that you buy the web application firewall and you slot it into your network and try and figure out how to pipe all your traffic through it, the problem comes when you start changing it. It’s not binary, turning it on or off… there’s a lot of interpretation in the application and specific tuning that needs to be done and it’s there that we see a lot of enterprises dropping off the effort.

Q: What approach do I take if the majority of my applications are outsourced and I work for a global company?

Wendy Nather: That’s always been a big problem… people are realizing that software security applies across the board. One thing you can do is make good friends with your procurement team and if you don’t already have security language in your contracts with your third party providers, it’s time to try and get some.

I have actually managed to get into contracts stating that the vendor would take care of any discovered security problems at their own expense, regardless of when the problem was found for the life of the contract. You’ll be surprised at how many vendors don’t read the contract before they sign it and that sort of thing!

At least going forward you can start to put more weight legally to enforce these. With things you already have in place you can threaten to go to the competition because they are more secure. There is a lot of unseen power in the hands of consumers, and if they put that together the market will generate a lot more than there might have been.

Q: Per the title of the talk, how do you monetize the concepts you’ve been presenting?

Wendy Nather: How to monetize the concepts – have to go back and agree with you Chris – groups like Denim Group have actually been doing this together with other companies… the problem is that until you know the extent of what you are actually dealing with you don’t know what the expenses are going to be.

You may want to start budgeting for one or two full out re-writes, and if you’re lucky they don’t have to be rewritten and you can use that budget to address some of the more common problems across the board.

But knowing how much money you’re going to be spending upfront is a challenge until you have the application inventory, until you know what your risk tolerances are, and until you have a fair idea of what the problems are. You’ll have to start slow and realize the number may grow to a certain extent before you really know what you are doing.

Q: You mentioned a disparity between what is getting attacked – for example, applications – and where the money is being spent, like on networks. Why do you think that is and what can be done to correct the imbalance?

Wendy Nather: Again, network security and OS layer security have been around for a long time, people understand it well, even IT executives and business executives have a pretty good idea of what it entails.

They say, “Can’t we just put a firewall in here?” That’s pretty well understood. But the problem is the implications of addressing application security are so customized per enterprise and for the types of application that they have, it’s just not as straightforward. So for the reasons that I explained before, there’s a perception that this is hard.

There a lot of unknowns in it before you start and I think that’s why it hasn’t been widely adopted. But, certainly taking baby steps as Chris described and starting just to get the lay of the land and start to talk about it – because talk is cheap – and trying to raise awareness there are a lot of things you can do on a small budget to start.

Cross-posted from Veracode Blog

Possibly Related Articles:
Information Security
Enterprise Security Management Budgets Application Security Web Application Firewalls Vendor Management Chief Information Officer Network Security Enterprise Resource Planning Zack Cronin Wendy Nather WAF
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.