Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22

693 views
624 views

Published on

This slide deck denotes practical and insightful techniques for finding budget for Application Security solutions. It includes ideas for where to look, who to ask, how to speak their language, and provides proof points to make your case.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
693
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
24
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22

  1. 1. Top 10 Ways To Win BudgetFor Application SecuritySpeaker: Chris Harget
  2. 2. Winning Budget1. Where To Look2. Who To Ask3. Talking Their Language4. Useful Proof Points2 Cenzic, Inc. - Confidential, All Rights Reserved.
  3. 3. Survey: Who is the hardest person to persuade toapprove Application Security budget? A) IT Director B) CISO/CIO C) CFO D) Procurement E) Other3 Cenzic, Inc. - Confidential, All Rights Reserved.
  4. 4. There Are Lots of People Like You…Looking For Budget4 Cenzic, Inc. - Confidential, All Rights Reserved.“69% of 12,000+ IT professionals surveyedbelieved that in 2013 ApplicationVulnerabilities are the number onesecurity issue.”-The 2013 (ISC)2 Global Information Security Workforce Studyhttps://www.isc2.org/uploadedFiles/(ISC)2_Public_Content/2013%20Global%20Information%20Security%20Workforce%20Study%20Feb%202013.pdf
  5. 5. Three Generic Budget Tactics Justify more IT spend Reallocate existing IT spend Stretch existing App Sec spend5 Cenzic, Inc. - Confidential, All Rights Reserved.
  6. 6. Application Development Team’s Crucial Role “Secure software development is where thelargest gap between risk and responseattention by the information security professionexists.”-The 2013 (ISC)2 Global Information Security Workforce Studyhttps://www.isc2.org/uploadedFiles/(ISC)2_Public_Content/2013%20Global%20Information%20Security%20Workforce%20Study%20Feb%202013.pdf6 Cenzic, Inc. - Confidential, All Rights Reserved.
  7. 7. #10: Get Developers to Kick In Budget Your organization probably has 5-20xmore Developers than Security Analysts– Their budget is probably bigger too App vulnerabilities can mostly beaddressed by flawless coding Developers might kick in budget forLicenses, Training, Security PostureAssessments Bonus Tip: Browser-client power-userlicenses cost 1/2 desktop software, and doalmost as much7 Cenzic, Inc. - Confidential, All Rights Reserved.
  8. 8. SQL Injection…8 Cenzic, Inc. - Confidential, All Rights Reserved.http://xkcd.com/327/http://en.wikipedia.org/wiki/SQL_injection…Can Take Down Your Data/Site
  9. 9. App Vulnerabilities Threaten Uptime SQL injection can take down database (drop tables,remove users, dump db) XSS can take down the app (insert javascript that couldhit web server 100s of times for each user and spreadlike a virus)– (e.g., at Myspace XSS was used to keep adding friends until thesystem went down https://www.owasp.org/images/1/1b/OWASP-AppSecEU08-Dabirsiaghi.pdf ) Buffer Overflow can take down the app, and can givehacker shell access Session hijack can take over a users session (and if itwas an admin the hacker could literally turn functionalityoff or shut down parts of the system (e.g., Wordpress) Production Team is measured by Uptime9 Cenzic, Inc. - Confidential, All Rights Reserved.
  10. 10. #9: Get Production To Kick In Budget For every app in Dev/QA, there are ~10 inProduction.– New vulnerabilities are discovered daily– Apps can become more vulnerable afterrelease App vulnerabilities can result in downtime. App testing/monitoring helps Productionto ensure uptime Production should continuously monitorapps and schedule them for patching, justas they do for OS, DB and Servers10 Cenzic, Inc. - Confidential, All Rights Reserved.
  11. 11. #8: Shift Spend From Low to High-Risk Areas Network Security is a mature space– We’ve had firewalls, etc. for decades Attackers are shifting to softer targets Amount/value of data accessible via the Applicationlayer has exploded To get the most risk mitigation bang for yourbuck…11 Cenzic, Inc. - Confidential, All Rights Reserved.…your organization should rebalancespend to correlate to actual risk
  12. 12. Of All Attacks on Information SecurityAre Directed to the Web Application Layer75%Of All Web Applications Are Vulnerable>2/3The Risk vs Investment ImbalanceNetworkServerWeb Application% of AmountSecurity Budget10%90%% of AttacksRisk75%WebLayer25%
  13. 13. #7: Plant a Seed Far in Advance Budget cycles are some times longand rigid Easiest method is to put a placeholderin for a comprehensive app securitysolution Plan B: at least get the most importantapps covered, and requestsupplemental funds in a later cycle13 Cenzic, Inc. - Confidential, All Rights Reserved.
  14. 14. #6 Quantify The RisksAssign Value to: Data exposed by apps Uptime for web sites Brand/trustUseful Risk Calculator (gives $ range score)https://www.web-app-security-risk-calculator.com/14 Cenzic, Inc. - Confidential, All Rights Reserved.
  15. 15. Sample Risk Costs PR Bill for Breach ~$900,000 Cost Per Record Stolen $294– Usually, thousands or millions of records stolen– Sony spent >$1Billion Intellectual Property Loss– Depends on IP future value to you15 Cenzic, Inc. - Confidential, All Rights Reserved.
  16. 16. Intellectual Property LossCyber Espionage has been pointed to as part of howChinese J-20 fighter jet is catching up to US F-22= $Billions in potential IP theft16 Cenzic, Inc. - Confidential, All Rights Reserved.
  17. 17. #5:Show Comparative ROI1. Get low-med-high $ riskrange2. Get a rough quote forprotection3. Standard ROI Formula1. Get 3 numbers for ROIrange17 Cenzic, Inc. - Confidential, All Rights Reserved.=(Cost)%ROI(Gain – Cost)$700K, $1.2M, $3.6M~$100K$(700K-100K)/$100K= 600%600% 1,100% 3,500%
  18. 18. Consider Opportunity CostsYour project’s likelybenefits18 Cenzic, Inc. - Confidential, All Rights Reserved.Anticipated benefitsfrom competing projectsvs.Implications Relative ROI matters Relative worst-case-scenario-of-doing-nothing matters Benefits to WHO matters
  19. 19. #4: Make It Simple For Non-Technical People To be useful, Web apps have theability to interpret programmingcommands…which hackers exploit tosteal data and deface or crash websites If an application allows this, it is calleda “vulnerability” >5,000 kinds of vulnerabilitiesdiscovered To find and patch vulnerabilities weneed Dynamic App Security Testingsolutions19 Cenzic, Inc. - Confidential, All Rights Reserved.
  20. 20. Even More Simply… Hackers use hidden Application commandsto steal data and damage web sites.Scanning tools help efficiently find andpatch these vulnerabilities.20 Cenzic, Inc. - Confidential, All Rights Reserved.
  21. 21. Problem: CFOs Don’t Speak “Securitese” CFOs speak cost-benefit, comparativevalue– CFO’s are numbers people…Most securityissues are nebulous, not quantified. Nonumbers, No ROI. Solution: Use financial lingo– “Risk Management”– “We have a Fiduciary responsibility toshareholders to take reasonable dataprotection measures”– “Mitigating risk”21 Cenzic, Inc. - Confidential, All Rights Reserved.
  22. 22. #3: Talk In CFO Terms ~75% of attacks now target Web Application Layer– Per Gartner Group $4.6 million damages on average from major attacks– Per Ponemon Institute Application Security Testing typically costs <1/10thcost of a major attack & reduces risk an order ofmagnitude Application Security expenditures offer high marginalrisk mitigation per dollar invested This is a risk management policy, like insurance22 Cenzic, Inc. - Confidential, All Rights Reserved.
  23. 23. #2: ComplianceApplies if you handle… Credit cards – PCI Medical Records – HIPAA Financial Info – FISMA, GLBA, SOX, SB1386,FTC 16 CFR314, REG SP, PIPEDA (Canada) Social Security #’s – SB1386 Security—NIST OWASP 201023 Cenzic, Inc. - Confidential, All Rights Reserved.
  24. 24. #1: Convince Them This Solution Will Do The JobNobody is comfortable making anuncertain purchaseThey need assurance you’ve done yourdue diligenceThere is an outline that helps24 Cenzic, Inc. - Confidential, All Rights Reserved.
  25. 25. CIO Needs To Hear… Problem to be solved Significance Why proposed option is best Assurance we can execute Potential issues and how we’ll overcome Expected outcome & metrics25 Cenzic, Inc. - Confidential, All Rights Reserved.
  26. 26. CIO Pitch Example Research shows >90% of Web Applications are vulnerableto exploits… …which can result in Millions of dollars of data loss,downtime, revenue hits and brand damage. Application Scanning tools will let us find and fixvulnerabilities (in Development and Production) before badguys do, and manage risk. Cenzic is a leading enterprise solution, focused partner, &good value. If threat or need changes, Cenzic’s breadth and servicesofferings keep us covered. Success Metric: Vulnerabilities will be identified, ranked,and methodically reduced, such that we drive down netHARM™ scores (App risk scores)26 Cenzic, Inc. - Confidential, All Rights Reserved.
  27. 27. Top 10 Ways to Win App Security Budget10. Get Developers to kick in9. Get Production to kick in8. Shift from low-risk to high-risk areas (e.g.from Network Security to App Security)7. Plant a seed well in advance6. Quantify the risks5. Show comparative ROI4. Make it simple for non-technical people3. Talk in CFO terms2. Compliance1. Convince them this solution will do the job27 Cenzic, Inc. - Confidential, All Rights Reserved.
  28. 28. Top 10 Ways To Win BudgetFor Application SecuritySpeaker: Chris Harget

×