The document outlines the top 10 strategies for securing budget approval for application security initiatives, emphasizing the importance of communication with key stakeholders such as developers and CFOs. It presents tactics like justifying technology spending, shifting budget focus from low to high-risk areas, quantifying risks, and using compliance standards as leverage. Overall, it stresses the need for a clear ROI and effective risk management to convince decision-makers of the necessity of application security measures.

1. Top 10 Ways To Win Budget
For Application Security
Speaker: Chris Harget

2. Winning Budget
1. Where To Look
2. Who To Ask
3. Talking Their Language
4. Useful Proof Points
2 Cenzic, Inc. - Confidential, All Rights Reserved.

3. Survey:
 Who is the hardest person to persuade to
approve Application Security budget?
 A) IT Director
 B) CISO/CIO
 C) CFO
 D) Procurement
 E) Other
3 Cenzic, Inc. - Confidential, All Rights Reserved.

4. There Are Lots of People Like You
…Looking For Budget
4 Cenzic, Inc. - Confidential, All Rights Reserved.
“69% of 12,000+ IT professionals surveyed
believed that in 2013 Application
Vulnerabilities are the number one
security issue.”
-The 2013 (ISC)2 Global Information Security Workforce Study
https://www.isc2.org/uploadedFiles/(ISC)2_Public_Content/2013%20Global%20Information
%20Security%20Workforce%20Study%20Feb%202013.pdf

5. Three Generic Budget Tactics
 Justify more IT spend
 Reallocate existing IT spend
 Stretch existing App Sec spend
5 Cenzic, Inc. - Confidential, All Rights Reserved.

6. Application Development Team’s Crucial Role
 “Secure software development is where the
largest gap between risk and response
attention by the information security profession
exists.”
-The 2013 (ISC)2 Global Information Security Workforce Study
https://www.isc2.org/uploadedFiles/(ISC)2_Public_Content/2013%20Global%20Information%20Security%20Workforce%20Stud
y%20Feb%202013.pdf
6 Cenzic, Inc. - Confidential, All Rights Reserved.

7. #10: Get Developers to Kick In Budget
 Your organization probably has 5-20x
more Developers than Security Analysts
– Their budget is probably bigger too
 App vulnerabilities can mostly be
addressed by flawless coding
 Developers might kick in budget for
Licenses, Training, Security Posture
Assessments
 Bonus Tip: Browser-client power-user
licenses cost 1/2 desktop software, and do
almost as much
7 Cenzic, Inc. - Confidential, All Rights Reserved.

8. SQL Injection…
8 Cenzic, Inc. - Confidential, All Rights Reserved.
http://xkcd.com/327/
http://en.wikipedia.org/wiki/SQL_injection
…Can Take Down Your Data/Site

9. App Vulnerabilities Threaten Uptime
 SQL injection can take down database (drop tables,
remove users, dump db)
 XSS can take down the app (insert javascript that could
hit web server 100's of times for each user and spread
like a virus)
– (e.g., at Myspace XSS was used to keep adding friends until the
system went down https://www.owasp.org/images/1/1b/OWASP-AppSecEU08-
Dabirsiaghi.pdf )
 Buffer Overflow can take down the app, and can give
hacker shell access
 Session hijack can take over a users session (and if it
was an admin the hacker could literally turn functionality
off or shut down parts of the system (e.g., Wordpress)
 Production Team is measured by Uptime
9 Cenzic, Inc. - Confidential, All Rights Reserved.

10. #9: Get Production To Kick In Budget
 For every app in Dev/QA, there are ~10 in
Production.
– New vulnerabilities are discovered daily
– Apps can become more vulnerable after
release
 App vulnerabilities can result in downtime.
 App testing/monitoring helps Production
to ensure uptime
 Production should continuously monitor
apps and schedule them for patching, just
as they do for OS, DB and Servers
10 Cenzic, Inc. - Confidential, All Rights Reserved.

11. #8: Shift Spend From Low to High-Risk Areas
 Network Security is a mature space
– We’ve had firewalls, etc. for decades
 Attackers are shifting to softer targets
 Amount/value of data accessible via the Application
layer has exploded
 To get the most risk mitigation bang for your
buck…
11 Cenzic, Inc. - Confidential, All Rights Reserved.
…your organization should rebalance
spend to correlate to actual risk

12. Of All Attacks on Information Security
Are Directed to the Web Application Layer
75%
Of All Web Applications Are Vulnerable>2/3
The Risk vs Investment Imbalance
Network
Server
Web Application
% of Amount
Security Budget
10%
90%
% of Attacks
Risk
75%
Web
Layer
25%

13. #7: Plant a Seed Far in Advance
 Budget cycles are some times long
and rigid
 Easiest method is to put a placeholder
in for a comprehensive app security
solution
 Plan B: at least get the most important
apps covered, and request
supplemental funds in a later cycle
13 Cenzic, Inc. - Confidential, All Rights Reserved.

14. #6 Quantify The Risks
Assign Value to:
 Data exposed by apps
 Uptime for web sites
 Brand/trust
Useful Risk Calculator (gives $ range score)
https://www.web-app-security-risk-calculator.com/
14 Cenzic, Inc. - Confidential, All Rights Reserved.

15. Sample Risk Costs
 PR Bill for Breach ~$900,000
 Cost Per Record Stolen $294
– Usually, thousands or millions of records stolen
– Sony spent >$1Billion
 Intellectual Property Loss
– Depends on IP future value to you
15 Cenzic, Inc. - Confidential, All Rights Reserved.

16. Intellectual Property Loss
Cyber Espionage has been pointed to as part of how
Chinese J-20 fighter jet is catching up to US F-22
= $Billions in potential IP theft
16 Cenzic, Inc. - Confidential, All Rights Reserved.

17. #5:Show Comparative ROI
1. Get low-med-high $ risk
range
2. Get a rough quote for
protection
3. Standard ROI Formula
1. Get 3 numbers for ROI
range
17 Cenzic, Inc. - Confidential, All Rights Reserved.
=
(Cost)
%ROI(Gain – Cost)
$700K, $1.2M, $3.6M
~$100K
$(700K-100K)/$100K= 600%
600% 1,100% 3,500%

18. Consider Opportunity Costs
Your project’s likely
benefits
18 Cenzic, Inc. - Confidential, All Rights Reserved.
Anticipated benefits
from competing projectsvs.
Implications
 Relative ROI matters
 Relative worst-case-scenario-of-doing-nothing matters
 Benefits to WHO matters

19. #4: Make It Simple For Non-Technical People
 To be useful, Web apps have the
ability to interpret programming
commands…which hackers exploit to
steal data and deface or crash web
sites
 If an application allows this, it is called
a “vulnerability”
 >5,000 kinds of vulnerabilities
discovered
 To find and patch vulnerabilities we
need Dynamic App Security Testing
solutions
19 Cenzic, Inc. - Confidential, All Rights Reserved.

20. Even More Simply…
 Hackers use hidden Application commands
to steal data and damage web sites.
Scanning tools help efficiently find and
patch these vulnerabilities.
20 Cenzic, Inc. - Confidential, All Rights Reserved.

21. Problem: CFOs Don’t Speak “Securitese”
 CFOs speak cost-benefit, comparative
value
– CFO’s are numbers people…Most security
issues are nebulous, not quantified. No
numbers, No ROI.
 Solution: Use financial lingo
– “Risk Management”
– “We have a Fiduciary responsibility to
shareholders to take reasonable data
protection measures”
– “Mitigating risk”
21 Cenzic, Inc. - Confidential, All Rights Reserved.

22. #3: Talk In CFO Terms
 ~75% of attacks now target Web Application Layer
– Per Gartner Group
 $4.6 million damages on average from major attacks
– Per Ponemon Institute
 Application Security Testing typically costs <1/10th
cost of a major attack & reduces risk an order of
magnitude
 Application Security expenditures offer high marginal
risk mitigation per dollar invested
 This is a risk management policy, like insurance
22 Cenzic, Inc. - Confidential, All Rights Reserved.

23. #2: Compliance
Applies if you handle…
 Credit cards – PCI
 Medical Records – HIPAA
 Financial Info – FISMA, GLBA, SOX, SB1386,
FTC 16 CFR314, REG SP, PIPEDA (Canada)
 Social Security #’s – SB1386
 Security—NIST OWASP 2010
23 Cenzic, Inc. - Confidential, All Rights Reserved.

24. #1: Convince Them This Solution Will Do The Job
Nobody is comfortable making an
uncertain purchase
They need assurance you’ve done your
due diligence
There is an outline that helps
24 Cenzic, Inc. - Confidential, All Rights Reserved.

25. CIO Needs To Hear…
 Problem to be solved
 Significance
 Why proposed option is best
 Assurance we can execute
 Potential issues and how we’ll overcome
 Expected outcome & metrics
25 Cenzic, Inc. - Confidential, All Rights Reserved.

26. CIO Pitch Example
 Research shows >90% of Web Applications are vulnerable
to exploits…
 …which can result in Millions of dollars of data loss,
downtime, revenue hits and brand damage.
 Application Scanning tools will let us find and fix
vulnerabilities (in Development and Production) before bad
guys do, and manage risk.
 Cenzic is a leading enterprise solution, focused partner, &
good value.
 If threat or need changes, Cenzic’s breadth and services
offerings keep us covered.
 Success Metric: Vulnerabilities will be identified, ranked,
and methodically reduced, such that we drive down net
HARM™ scores (App risk scores)
26 Cenzic, Inc. - Confidential, All Rights Reserved.

27. Top 10 Ways to Win App Security Budget
10. Get Developers to kick in
9. Get Production to kick in
8. Shift from low-risk to high-risk areas (e.g.
from Network Security to App Security)
7. Plant a seed well in advance
6. Quantify the risks
5. Show comparative ROI
4. Make it simple for non-technical people
3. Talk in CFO terms
2. Compliance
1. Convince them this solution will do the job
27 Cenzic, Inc. - Confidential, All Rights Reserved.

28. Top 10 Ways To Win Budget
For Application Security
Speaker: Chris Harget