Friday, February 19, 2010

Compliance and Habit holding back Application Security

My "Infrastructure vs. Application Security Spending" post must have struck a nerve. I've received a number of comments and emails where it's clear many are grappling with the same organizational budgeting challenges. Sharing these individual experiences help us raise awareness and gain new perspective on things that might work to our advantage. I sought permission to share the content of such insightful email from a Director of Product Security for a large publicly-traded company.

"Good post. It's something I've been preaching at *redacted* since day one. Our business relies on protecting our customers data. Why spend significantly more money on protecting our internal networks then on our product. I've won that battle, but given our security team started from network IT Security guys, that's where the money was spent.

A couple things I thought I'd pass along which you didn't mention, but I'm sure you've though about:

1. Service providers are going to spend money where their customers want them to. If their customer's security teams are all network guys, then the service provider is catering it's "security budget" to those guys. It still befuddles me in this day and age that we get predominantly more nCircle/Qualys/Nessus scans than we do application assessments from our customers. It shows though too in the compliance arena…if the people auditing your company have been baptized by compliance, then the service provider will cater to that. Unfortunately there's way more auditors who look at compliance and network security then application level security.

2. I think the comparison of network/host security vs application security shouldn't equate (right now). Because of the maturity of the market, there are less tools that are practical to rely on. As such, the curve should focus more on people (training, processes, and security staff) then on tools. I'm not saying the tools can't /don't do a good job, I'm just saying that right now they're not sufficient and in general more staffing resources need to be involved. To use an internal example, the fact that all R&D staff at *redacted* go through security training, perform security work every sprint, use secure frameworks, tools, etc, isn't captured by the numbers…and frankly is more valuable than us spending another 100K on a few more licenses of AppScan or WebInspect.

I think it would be really interesting to compare the costs of some of these products vs the benefit they provide. I just find it terribly funny that a Burp license costs ~$200, while running a product like DB Monitoring would costs hundreds of thousands or even millions of dollars in a large data center. That said, customers ask for things like DB Monitoring - because, you know, the five DBAs are more likely to steal their data then the thousands of malicious hackers out there ;-)

I'm not old enough to know…but, I bet the network security guys cracked on how the physical security guys got all the budget way back when. Evolution…"

If you got a story to share, please do!


Gaurav said...

I think these days most infrastructure devices include some sort of application security layer too. For example, Snort IDS ( and commercial IDS) are capable of looking at web application attacks to some extent. Also, Cisco security devices have inbuilt application layer security built into them, which is somewhat limited, but nevertheless, I think with Threat Management Gateways gaining more hold in enterprises, the line between infra and app sec is becoming thinner. As such, when it comes to spending money, one must be careful not to overdo things.

Just my thoughts.

Smith said...

great post and impressive thinking as far as iam concernet security for application and network is not same but exempt with tools because tool behavior is same in both cases
Read more about network security tools here


Anonymous said...

all the appliance in the world can never completely eradicate the problem of application security as long there are an abundant supply of bad codes from hastily-made products. take for instance the bunch of live NASA server exploits listed at pinoysecurity. the list just goes on...