Today I'd like to pose a very simple question that's been troubling me for a while now - Why do efforts to build and maintain software security programs keep falling off the priority table in the budgeting cycles at even the "big enough to know better" sized organizations?
It's a question I've been wrestling with for some time now and a few conversations with some very intelligent colleagues from companies you would definitely know at InfoSec World and other venues over the past 3 months have got me perplexed.
Perhaps the answer to this question comes down to corporate culture, enterprise priorities, or maybe it's something else entirely. Without pointing fingers, this post is dedicated to those who continue to struggle with software security long after we all think everyone should "get it" by now...
Addressing the problem strictly off statistics, we know for a fact that approximately 3 out of 4 modern attacks against your enterprise or organization come at your applications. Whether it's at your website, at the mobile app you've deployed, or your enterprise API - you're being attacked through the place where the lowest defenses are - the application. So why is it that we keep spending 3 out of 4 budgetary dollars on network security?
I've heard some of the more smart people in our industry retort with various answers, various ideas, and all sorts of fingers pointed but there hasn't been a compelling way to resolve the situation. Perhaps we should be asking a more fundamental question - is there even anything to resolve?
Organizations spend money on network-based security because we can understand it, at least that's what I think. It's easier to understand packets coming down the wire and putting something between you and the "bad guys" to stop those bad packets from hitting you.
Firewalls, IDS/IPS, and other still-critical devices continue to garner a lion's share of our budgets when they're doing little to protect our applications - with notable exception to devices that actually understand application traffic and are able to react accordingly.
Still... the proportion seems incredibly strange. Perhaps it's because we feel like if we buy one IPS we can protect a million devices on our network, whereas software security is so nebulous, so difficult and so case-by-case that it's difficult to put a solid risk-reduction metric on. I think this is more to the point of why we fail.
Firewalls stopping packets is measurable... and as much as it makes most of us cringe (yours truly included) saying things like "our firewall stopped a million attacks last quarter" when in reality you mean a million potentially malicious scripts, bots, scans and other attempted intrusions is convenient and can show perceived value to the stake-holders.
I say perceived value because to us that really understand attacks, attack surface, and the difference between a Nessus scan and a carefully crafted exploit - that metric means less than zero - but to a senior manager looking for an ROI on the spend on budget... genius. Perhaps this is what is at the heart of it all - poor metrics. Now I seem to have uncovered two problems - ones I know I'm not the first to point out...
First, we have been measuring the wrong things, as in the example above, and it's come to bite us in the rear. We've been trying to measure that which is convenient to us and our cause, and to show the business how much they need us - often sensationalizing the truth (heck the DOD does it!) to suit our own ends. Now those chickens have come to roost, and we're in deep, deep trouble.
When we come back with metrics we can't easily sensationalize - for example it's much harder to 'tweak' an ROI out of software security assurance programs than a network security approach, every time - we are told that clearly what we're trying to point out is of little significance compared to those massive numbers we've been showing for years on the network side... and boom.
The other thing is this perceived value problem. As I said earlier, when you can say (and prove, to some extend) that there were a million malicious packets, or "attacks", in the logs the firewall stopped, or thousands of port scans or worm attempts the IPS stopped... it's easy to get a cheer from the executives.
But when you say you've got to educate developers, lengthen delivery time, and otherwise spend more money to attempt to merely reduce risk on an application deployment - well ... wouldn't you laugh that one off too?
Alright, having the issues corners, I think, means we need some resolution. Here it is - better measurements. We need more measurements that are closer to business value, and we need to start phasing out those silly "stopped a million attacks" metrics we've been yammering about for the last decade... it's really not helping anyone right now. So who's in?
There are groups out there that already do this - and getting away from fear-based software security is paramount - but can we push ourselves to do it rather than complain and whine for another 10 years? I sure hope so...
One note though... there will always be organizations that refuse to understand, and shift budgets to meet real-world risks. Those are the jobs you don't want to stick around for in all likelihood because when things fail - and they will - you'll end up the witch being burned at the stake.
For the rest of us - starting right now let's say no to bunk metrics. Business-relevant value and risk metrics aggregated into KPIs or bust!
Cross-posted from Following the White Rabbit