tag:blogger.com,1999:blog-13756280.post1722715408440554782..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Budgeting for Web Application SecurityJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger26125tag:blogger.com,1999:blog-13756280.post-80905343002544701752010-01-21T07:21:21.080-08:002010-01-21T07:21:21.080-08:00It might be part of competitive advantage but IMHO...It might be part of competitive advantage but IMHO a #6 (and maybe higher in the list) is actual Money savings (Hard and soft). When you implement a security program adding tools in early stages, starting to use common and approved components and that kind of activities, that has an immediate savings effect. You have less bugs to fix before deployment, you fix design errors at design (one of these might get you yo a total rebuild of the application), you have better TTM, developers learn early on common vulnerabilities so they fix 1 not 100 XSS. The though part is how to measure this, although a simple baseline comparison by doing some testing in a few applications and your target objective might be helpful to figure out the numbers.Juan Carlos Calderonhttp://www.linkedin.com/in/juancarloscalderonnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-76221855269218877342009-03-17T03:09:00.000-07:002009-03-17T03:09:00.000-07:00what a great post. I really enjoy reading this pos...what a great post. I really enjoy reading this post.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-14963579173565720072009-01-05T15:55:00.000-08:002009-01-05T15:55:00.000-08:00@lenny, please pitch me an email directly. Much of...@lenny, please pitch me an email directly. Much of the work has been done, but I have a feeling there is going to be a lot more post data collection.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-16088545031098023182009-01-05T12:16:00.000-08:002009-01-05T12:16:00.000-08:00Coolio. Let me know how I can get involved with t...Coolio. Let me know how I can get involved with the OWASP Security Spending Benchmarks project.lennykaufmanhttps://www.blogger.com/profile/01982839054841429240noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-23585235970923332602009-01-05T11:31:00.000-08:002009-01-05T11:31:00.000-08:00Been working on the OWASP Security Spending Benchm...Been working on the OWASP Security Spending Benchmarks project with Boaz. Out of the data collected from that will probably fuel v2.<BR/><BR/>https://www.owasp.org/index.php/Category:OWASP_Security_Spending_BenchmarksJeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-50086002068614948252009-01-05T10:18:00.000-08:002009-01-05T10:18:00.000-08:00You mentioned a v2 ... any word on if that's a go?...You mentioned a v2 ... any word on if that's a go?lennykaufmanhttps://www.blogger.com/profile/01982839054841429240noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-48035390348234662222008-12-29T13:47:00.000-08:002008-12-29T13:47:00.000-08:00@NoticeBored, because Web application security is ...@NoticeBored, because Web application security is what I spend most of my time on. But you are probably right and the guidance could apply to many other areas.<BR/><BR/>#6 is pretty close to #1. At least I can't discern a big difference.<BR/><BR/>#7, seems to be a mix of #1 and #4Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-14946558416427194232008-12-29T13:37:00.000-08:002008-12-29T13:37:00.000-08:00Hi. I don't understand why you are pimping up app...Hi. I don't understand why you are pimping up application security specifically: the 5 methods you describe apply to a whole range of security/risk management investments.<BR/><BR/>I can think of at least two more to add to your 5:<BR/><BR/><I>6. If we didn't spend $X on security, we wouldn't be able to perform business processes Y and Z safely and/or profitably </I>[i.e. security as a business enabler]<BR/><BR/><I>7. If we spend $X on security, our governance, compliance and risk management objectives will be met, our breach costs will be contained, but most of all our executives will sleep soundly </I>[i.e. the assurance factor].<BR/><BR/>Kind regards,<BR/>Gary HinsonGaryhttps://www.blogger.com/profile/03271148849000325301noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-47776639921522387012008-12-29T08:14:00.000-08:002008-12-29T08:14:00.000-08:00Franklyn, money first, control second. :)Franklyn, money first, control second. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-57997663250895663192008-12-28T20:01:00.000-08:002008-12-28T20:01:00.000-08:00I agree with the "top 5" but are any of these real...I agree with the "top 5" but are any of these really doable unless you can actually see and control all these new web apps? I mean, port 80 is a black hole and 443 is encrypted. And IPS isnt't the answer for seeing all this stuff. Any thoughts?FJhttps://www.blogger.com/profile/13311344224214285027noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-24260990807325470622008-12-19T10:33:00.000-08:002008-12-19T10:33:00.000-08:00@Keydet89 As you said, everyone like to see securi...@Keydet89 As you said, everyone like to see security justified in a different way, even when its a contradiction in terms. This is probably going to be the reality of the situation for the foreseeable.<BR/><BR/>Business school. Wish I had the opportunity, would have made life a bit easier. I had to learn some important lessons in the field at great expense.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-6890249155250685452008-12-19T05:13:00.000-08:002008-12-19T05:13:00.000-08:00As an active responder, what I'm seeing in the cor...As an active responder, what I'm seeing in the corporate community is that risk is viewed differently...spending now on security is a certainty, whereas the risk is a possibility. Many managers tend to bet on the horse NOT coming in. <BR/><BR/>"Due diligence" is one of my favorites. I get calls from folks who want me to come in, and acquire and analyze their entire network, just for "due diligence". It occurs to me that if you <I>really</I> wanted to do "due diligence", you'd've had someone in <I>before-hand</I>.<BR/><BR/>Regulatory compliance is HUGE! Some compliance measures have teeth, others only have teeth when it's the little guy.<BR/><BR/>Finally, competitive advantage...for the folks who do read the papers, there are enough stories out there about loosing intellectual property and then market share due to hacking, a disgruntled employee, etc. But then, it keeps happening, and will continue to happen, because managers have a "yeah, but that kind of thing won't happen to me" attitude.<BR/><BR/>Final word...the issue of "budgeting" is profoundly interesting to me, as I've responded to a number of engagements which would've been prevented had management required the admins to add or change passwords (SQL 'sa' accts, etc.). All this means is, sit down at a keyword and type a command. Yet this was deemed too expensive...the cost did not justify the action.<BR/><BR/>What business school did these guys (and gals) go to?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-44559562557671712392008-12-15T07:08:00.000-08:002008-12-15T07:08:00.000-08:00@JCool. I just hear that quite a bit, and I'm not...@J<BR/><BR/>Cool. I just hear that quite a bit, and I'm not convinced that fraud rates are relative priors unless we specify to the point of small sample size. <BR/><BR/>I.E. If I'm regional bank, the fraud rates of community or large national banks may or may not be relevant. My own history may be a better indicator of expected loss magnitude or the expected frequency of fraud events. Both pieces of information are useful, the question is <B>how</B> useful, which is a different conversation than the quantity of information at hand.Unknownhttps://www.blogger.com/profile/13259421662913673571noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-10171379813728135702008-12-13T12:00:00.000-08:002008-12-13T12:00:00.000-08:00Appplication Security #1 on the agenda.. is 2009 t...Appplication Security #1 on the agenda.. is 2009 the the year of Application Security?<BR/><BR/>http://www.csis.org/component/option,com_csis_pubs/task,view/id,5157Tom Brennanhttps://www.blogger.com/profile/17763780984670281558noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-25902815817826469092008-12-12T14:50:00.000-08:002008-12-12T14:50:00.000-08:00@Alex, oh oh I see what you are asking now. Yes, a...@Alex, oh oh I see what you are asking now. Yes, a company can and should know how much fraud they are experiencing. Though this information is not always readily available, but if it is, it certainly can be used to justify security spending. My comments were geared towards the industry at large, where we don't have good fraud rates.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-34476368531045877552008-12-12T14:44:00.000-08:002008-12-12T14:44:00.000-08:00@JI'm confused (it's not difficult to do, confuse ...@J<BR/><BR/>I'm confused (it's not difficult to do, confuse me). Are you saying that organizations don't have insight into the amount of significant fraud they have experienced?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-14007449183206679532008-12-12T14:06:00.000-08:002008-12-12T14:06:00.000-08:00Don't mind at all. I'll watch for the links, etc....Don't mind at all. I'll watch for the links, etc. (and probably chime in with more feedback as things progress).<BR/><BR/>Thanks for starting this thread - awesome.lennykaufmanhttps://www.blogger.com/profile/01982839054841429240noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-71456641460348587792008-12-12T13:54:00.000-08:002008-12-12T13:54:00.000-08:00@lenny, whoa! This is pure gold... excellent stuff...@lenny, whoa! This is pure gold... excellent stuff. I'm thinking this post is deserving of a v2 in a couple weeks of assimilating community feedback. I'd like to add more linked resources, case studied, metrics, and of course incorporate your additions (if you don't mind).Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-75616061079523093582008-12-12T13:28:00.000-08:002008-12-12T13:28:00.000-08:00This is a great post - I think it can be better .....This is a great post - I think it can be better ... <BR/><BR/>The one mistake that we constantly make in Information Security Risk Assessment is that we tie measurable factors (primarily $$) to immeasurable factors (unbound % or # wrt risk).<BR/><BR/>Your post is a good leap forward in laying out the domains of consideration, and it would benefit from taking the final step that Financial Risk Management methods take (which is why Financial Risk Management is so much more effective than InfoSec Risk Management, to be honest).<BR/><BR/>To use your example, a more complete quantification would be as follows:<BR/><BR/>1) Risk Mitigation<BR/>"If we spend $X on Y, we’ll reduce our risk of loss of $A by B%, <B>resulting in $C financial upside for our organization</B>." <BR/>(I've essentially only completed the formula that you set out.)<BR/><BR/>2) Due Diligence<BR/>"We must spend $X on Y because it’s an industry best-practice <B>that has been shown to carry a financial upside of $C (in either cost avoidance or revenue generation)</B>."<BR/><BR/>3) Incident Response<BR/>"We must spend $X on Y so that Z never happens again, <B>saving us $C (which equals the estimated cost of incident response and/or incident-related loss</B>."<BR/><BR/>4) Regulatory Compliance<BR/>"We must spend $X on Y because <B>non-compliance with Regulation A carries an estimated cost of $C</B>."<BR/><BR/>5) Competitive Advantage<BR/>"We must spend $X on Y to make the customer happy, <B>because making the customer happy has an estimated financial upside of $C for our organization</B>."lennykaufmanhttps://www.blogger.com/profile/01982839054841429240noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-68572634656536105702008-12-12T10:26:00.000-08:002008-12-12T10:26:00.000-08:00@Boaz, excellent comment, I have nothing to add. :...@Boaz, excellent comment, I have nothing to add. :) Please let me know you are ready to formalize that group of CISOs.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-32635434290123492212008-12-12T10:24:00.000-08:002008-12-12T10:24:00.000-08:00@Alex: To your point, I believe we need insight in...@Alex: To your point, I believe we need insight into fraud rates, not just data disclosure/compromise rates. We hear a lot about X number of records being lost because a backup take went missing. What we don't know is if that loss led to fraud - that type or metric would be invaluable. We'd be able to take/advocate more exact security measures that truly reduce fraud and not just data loss.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-70639254365245799482008-12-12T10:04:00.000-08:002008-12-12T10:04:00.000-08:00J- As always, good stuff. Let me ask you: "While...J- As always, good stuff. Let me ask you: <BR/><BR/>"While measuring investment against risk makes sense, it is also extremely difficult to quantify in Web application and software security given our industry’s lack of data. We don’t yet have strong data tying loss to root cause and those compromised closely guard the details."<BR/><BR/>I hear this often. What I don't hear is someone specifically saying - here's the amount and quality of information we would need, and a plan to get it.<BR/><BR/>Alternately, I'm willing to bet that in most cases there <B>is</B> enough information to make consistent, defensible decisions. It's the lack of models and understanding around probability theory that hinders us.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-45712810799938240742008-12-12T10:01:00.000-08:002008-12-12T10:01:00.000-08:00I think you really hit the nail on the head with t...I think you really hit the nail on the head with the 5 reasons for security spending today. Security conscious companies produce secure code because it is the right thing to do and they want to be in pole position when regulations with teeth finally come around. Unfortunately, in most companies these 5 reasons alone do not end up justifying sufficient security spending: <BR/><BR/>(1) Risk mitigation – the estimates you hear of $200 per compromised record seem like an exaggeration in most industries. IMHO it is the absence of an economic motivation to produce secure code that is starting to lead to regulation. <BR/><BR/>(2) Due diligence and industry best practice - When I talk to software vendors and start asking too many specific security questions, I invariably get a list of their Fortune 100 customers, as if that in itself means the software is secure. The apparent effectiveness of the “our product is secure because big and important companies use it” argument has led to the status quo of insecure software.<BR/><BR/>(3) Incident Response - This one is definitely a motivator, especially when it involves visible compromise such as DoS. But only a small portion of software security incidents lead to measurable damage to the affected company, and most companies do not suffer from damaging incidents that can be attributed back to them. <BR/><BR/>(4) Regulatory Compliance- with the possible exception of PCI and a few industry specific regulations, current regulations are too vague and open to interpretation. Companies can still claim compliance while only paying lip service to security. This will change over the next few years (eg. new state law in Massachusetts).<BR/><BR/>(5) Competitive Advantage<BR/><BR/>This is the area where we as security professionals have the most work to do in helping consumers differentiate secure products from insecure ones. Security carries a cost, so that an insecure product costs less to produce than a secure one. Bruce Schneier often calls the software market “a market for lemons”- in the used car market, it is difficult to tell a lemon from a good car. It is very hard to differentiate secure software form insecure software, reducing the motivation to invest in security.<BR/><BR/>When addressing security, corporate marketing materials will often mention things like the biometric readers at the doors to the data center while saying nothing about secure coding. When is the last time a company suffered a public data breach by someone walking out with a server from a server room because the door was merely locked and did not have biometric passes? You also see SSL mentioned almost all the time. Quite a random example given the vast array of web application vulnerabilities.<BR/><BR/>When I am evaluating a vendor, I would much rather see “we spent X% of our budget last year on internal and external security reviews”. I have no way of knowing if this money was well spent or if the reviewers were competent, but at least there is an objective measure of effort and attention put into security. Having this additional metric will help make sure that the market accepts a premium for wisely spent security dollars.<BR/><BR/>Sorry for the long comment and thanks for bringing much needed attention to this issue through your (always enjoyable) blog. I am putting together a group of CISOs and security professionals to get some data on this issue. Participation is welcome and I will post a URL once the initiative gets rolling.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-56933790206137702082008-12-12T08:08:00.000-08:002008-12-12T08:08:00.000-08:00Many thanks Richard!@Black First, Welcome, but not...Many thanks Richard!<BR/><BR/>@Black First, Welcome, but not sure I get the irony. I guess we both enjoy the same Google template.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-71773726469087450722008-12-12T07:17:00.000-08:002008-12-12T07:17:00.000-08:00I think it is interesting and ironic that the foun...I think it is interesting and ironic that the founder of whitehat security has a blog that looks nearly identical to the blackfistsecurity blog. Anyway, great post. I have never been here before, but Bejtlich was pimping this on his blog so I stopped to check it out. I just had to comment on the appearanceAnonymoushttps://www.blogger.com/profile/10140419541264972382noreply@blogger.com