More and more we are being asked for help by companies to help them justify investment in their application security solutions to their internal line-of-business (LOB) managers or other executives. These security executives are savvy, understand security well, and want to protect their assets from hackers. They understand the value completely. But, they need to take the case to their peers and executives to justify the budget.
One simple way of looking at it is that application vulnerabilities are like broken windows in a house secured with alarms (i.e. network firewalls, IDS, etc.). It ain't going to do much good to have all the alarms if the hackers can come through the broken windows. So, you have to fix the windows. In case of an enterprise, there are too many houses (applications) and too many windows (vulnerabilities) so you have to find them first and then figure out a way to fix them. Unfortunately analogies can only take you so far in a business world so I have listed some more concrete justifications for application security solutions below (easiest way to remember them is F2C2):
(1) Franchise (Brand) Protection : If you are a Financial Services company, eRetail, a High-tech doing transactions on-line, a healthcare provider, a government agency, or any other company collecting customer information, credit cards, etc. on-line, you simply cannot afford to have any breach in your application security. One hack and it'll take years to get those consumers back. Consumers are very nervous of business doing on-line as they hear more and more attacks happening at the application layer. One attack and that trust is gone. So are the consumers - to your competitors. How much are these consumers worth to you?
(2) Compliance - With many regulations already in place like Gramm-Leach-Bliley-Act (GLBA) for Financial Services, HIPAA for Healthcare, SB1386 and AB1950 California regulations, PCI Compliance, SARBOX, and others, and many additional ones being developed, most companies are being caught off guard because they hadn't thought about making sure that their applications are secure. Besides the huge penalties and dealing with regulatory bodies, failing compliance can have a severe impact on the business models and consumers. Just avoiding paying the penalties could be worth a lot of money.
(3) Cost of breach - Most companies don't realize the pain and agony of a breach - until it happens. One significant application security breach can easily cost $500K or more in resources, tools, downtime etc.
(4) Financial losses - Remember, gone are the days when script kiddies used to attack your sites to show their prowess. Now, most of the hacking incidents are very well organized and either financially or politically driven. By changing the prices on commodities or transferring money through many accounts and ultimately offshore, hackers can cause major damage in your financials without you knowing it for many months and in some cases years. Do you know how much money you are losing to these hackers right now?
But, what can you do for application security? There are a number of solutions and a number of approaches. Where to start:
- Production apps: Start by testing your applications that are already in production so you can immediately start fixing your live applications and protecting from hackers.
- Early testing for new apps: Once you have fixed the production apps, put a process in place to start testing for security in the Q.A. cycle so there's a business control in place before the apps are moved into production.
What solutions to use:
- Manual testing internally - If you have the expertise in house, you can start testing a few applications right away. This might not be most economical and could be very time consuming.
- Manual testing through outside resources: There are a lot of boutique and large firms providing these services but again time and money could become an issues
- Automated Software - point vulnerability management solutions: If you have any expertise in house, this will be a viable solution for many companies. You can use the tools to find vulnerabilities and have your development group fix them
- Automated Software - Risk Management solutions: If you have more than 10 applications, this might be a more suitable solution so you can discover all your apps, run assessment across all the apps and manage results from the web.
- Software as a Service (managed service): If you have limited expertise in house or if your resources are focused on other critical projects, this will be a perfect option. Some software vendors are providing this service where they run the assessments for you and you still get all the results in a dashboard or nice reports. No hardware or software installation required.
- Application Firewall: App Firewalls can be effective while you are waiting for vulnerabilities to be fixed. You have to watch out for latency issues and potentially stopping the good traffic. Also, app firewalls are valuable only if used in conjunction with vulnerability management solutions.
Any amount of network security - firewalls, IDSs, VPNs, etc. and even SSL certificates, is not going to do anything to protect your applications. Hackers are coming in through the forms and fields that your customers are coming in from. You have to either shut down your web sites or secure your applications.
Not doing anything is not an option. If you haven't been attacked, chances are pretty good that you will be attacked. Or you might not even know that you have been attacked. The question is not whether you can afford to have an application security solution in place. But, it's whether you can afford not to?
- Mandeep Khera, Cenzic
Comments