tag:blogger.com,1999:blog-13756280.post8619496957999160736..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Infrastructure vs. Application Security SpendingJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-13756280.post-66290117472104975552016-08-22T02:18:42.606-07:002016-08-22T02:18:42.606-07:00Excellent post!!! In this competitive market, cust...Excellent post!!! In this competitive market, customer relationship management plays a significant role in determining a business success. That too, cloud based CRM product offer more flexibility to business owners to main strong relationship with the consumers. <br /> <a href="http://www.fita.in/salesforce-training-chennai/" rel="nofollow">Salesforce Training in Chennai</a>Anonymoushttps://www.blogger.com/profile/17524961166262168067noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-56152941609769372622010-02-22T08:26:45.288-08:002010-02-22T08:26:45.288-08:00Jeremiah:
I think Sheriff hits part of the point, ...Jeremiah:<br />I think Sheriff hits part of the point, but not all of it.<br /><br />Perception. <br /><br />While the "numbers" might say the applications are the hardest hit, the corporate view is that the infrastructure is my foundation. It is a lot harder to make changes to my infrastructure then it is my applications.<br /><br />There's also the perception that an infrastructure person (at this point in time) should be aware of security issues. That isn't the case with developers.AppSecnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-83969247569082732852010-02-19T11:38:56.177-08:002010-02-19T11:38:56.177-08:00@Sherif For the most part Im sure you are right. S...@Sherif For the most part Im sure you are right. Sys admins and IT personnel tend to run for their comfort zone. Im just pointing out that these habits run counter to what the business invests in. Time for CIOs to realize this fact, especially in light on what is really going on out there.<br /><br />@Security Retentive no, you are not misreading. Your logic is sound, perhaps the attackers did move on, but at the same time today we must adjust. One might also consider that if our "applications" were secure -- 10 years ago -- we may not need so many firewalls protecting weak apps. As you've said before, maybe we made the right choices with the best available knowledge back then. Right now, we are not.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-12844553467556441632010-02-19T08:28:11.656-08:002010-02-19T08:28:11.656-08:00Jeremiah,
What happens if we roll the clock back ...Jeremiah,<br /><br />What happens if we roll the clock back 10 years, or even 7 years on this? Then what do the attacks look like?<br /><br />I think I can make a fairly compelling argument that the attacks have moved to the application layer *because* of improvements at the OS and Network layers. Remote OS vulns are way down. People with wide open SQL-servers to the internet are way down. <br /><br />This means that the attacks have moved. Do people really believe that if we turned off network firewalls and stopped patching desktops and servers that they wouldn't get targeted for attacks, and we could redeploy all of that money to our SDL programs? If so, I also have some real estate in Florida to sell you :)<br /><br />I'm not arguing that there aren't issues of spending, and that it shouldn't be rationalized, but to say that we need to complete shift the balance of the spending to applications is ridiculous.<br /><br />Or am I misreading something here?Andy Steingrueblhttps://www.blogger.com/profile/07177656204885181542noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-8893789603012904742010-02-19T08:00:40.654-08:002010-02-19T08:00:40.654-08:00Very good analysis, thank you.
"The reason t...Very good analysis, thank you.<br /><br />"The reason that Web security problems persist is not a lack of knowledgeable people (though we could use more), perfected security tools (they could be much better), or effective software development processes (still maturing)."<br /><br />One reason for the difference between the spending on infrastructure vs application security is the fact that sys admins and IT personnel have the knowledge and training of putting a system in place and they can pretty easily justify the need for a firewall...etc. In addition, the infrastructure security controls are found in a lot of network diagrams, design documents...so execs are familiar with it. How many design documents or requirement documents that have any application security controls in it?<br />My point is: a main reason for the difference in spending is the security knowledge of an average sys admin\IT engineer (whoever is responsible for the infrastructure) vs the average knowledge of software developer\technical project manager\product manager (whoever is responsible for the application)Sherif Koussahttp://www.softwaresecured.com/blognoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-58700798285024917532010-02-19T00:34:28.303-08:002010-02-19T00:34:28.303-08:00I am not sure you need to reach upto 10% for web a...I am not sure you need to reach upto 10% for web applications. They are fundamentally different from normal applications. At the very least, web applications can roll out fixes much more quickly than applications can. I do agree that web application security deserves a little more spending, but the numbers in your post (10 vs 1 for e.g) are not justified - its not a apples to apples comparison.<br /><br />Also, I would hope and pray that we learnt something after the security disaster that was application 'deploy first fix later' in the 90s. Thus, spending decreasing on security as we move to newer applications actually makes sense.duryodhanhttp://duryodhan.wordpress.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-67628015261879881592010-02-18T19:11:57.920-08:002010-02-18T19:11:57.920-08:00@John, thanks for the comment!
1) I think that pa...@John, thanks for the comment!<br /><br />1) I think that particularly problem is a general lack of managerial / business application security mandate. No awareness. If the organization doesn't value or expect it, then I have a hard time blaming developers for going out of there way to "secure their code."<br /><br />2)1/2 agree. Put all the controls you want, but if I can hack the app.. all the crypto, passwords, and access control won't help all that much -- because the app has access and I am the app.<br /><br />3)Can't say that I disagree. If fact, I've written exactly that before. http://jeremiahgrossman.blogspot.com/2009/08/web-security-is-about-scalability.html<br /><br />4) That's exactly why we need to raise the awareness of application security and tie it to today's leading threats. They only used to be emerging.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-49260875872736305512010-02-18T17:38:06.527-08:002010-02-18T17:38:06.527-08:00Some excellent thoughts in this post and clearly t...Some excellent thoughts in this post and clearly these ideas need to be explored more. Having said that, experience tells me a couple of things that impact the spending you described.<br /><br />1. App folks are under so much pressure to get things done that they tend not to worry about the security aspects of their code and hope that someone else will deal with it later. This generally falls to the network team.<br /><br />2. Applications are not the target but the transport. They provide a way to get to the real target - the data. While app security should be improved, better internal security and database security would be a huge help.<br /><br />3. For many organizations, traditional application security is not scalable. That is why the appetite for network controls is growing. While we may argue good, better, best among ourselves, the folks holding the purse-strings are looking for good enough.<br /><br />4. Therefore, security spending lags. This is a business where we are trying to quantify phantom risks and prove negatives - which is really hard. In a world where executives think even having a password is too much of a pain, its hard to explain the need for protection against ephemeral attacks that are too complex for non-technical folks to understand.<br /><br />I've had CIOs tell me that they didn't want to know what was going on in their networks because then they'd have to fix it! Ignorance can be bliss... for a time...John Kindervaghttp://www.forrester.com/rb/analyst/John_Kindervagnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-14240482987836955512010-02-18T16:13:11.769-08:002010-02-18T16:13:11.769-08:00Thanks Boaz. Though Im not sure compliance is the ...Thanks Boaz. Though Im not sure compliance is the original culprit here. More so "best-practices" and hard-to-break infosec habits are really the enemies. These end up being rolled into compliance mandates and laws because no risk thinking goes into them. Their crafters just borrow and go.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-60329095185822110332010-02-18T16:05:36.690-08:002010-02-18T16:05:36.690-08:00Great post Jeremiah - there is far too little reas...Great post Jeremiah - there is far too little reasoned analysis of security spending and resource allocation. The data you and others have presented makes clear that security dollars are not being aligned with threats. <br /><br />Of course a good chunk of security spending is motivated by compliance and contractual requirements versus actual risk reduction. And the regulations and standards are in turn completely focused on network security rather than application security issues. <br /><br />A good example is the <a href="http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf" rel="nofollow"> new Massachusetts data security regulation</a> going into effect on March 1st. It mandates firewalls but says nothing about application security. <br /><br />The much more technical PCI Standard explicitly prioritizes network security over application security in the <a href="https://www.pcisecuritystandards.org/education/prioritized.shtml" rel="nofollow">PCI Prioritized Approach</a>. And most of the security language you see in RFPs is likewise network security focused rather than app sec focused.<br /><br />I think that part of the solution lies in awareness raising and representation at the early stages of legislative and industry discussions around standards. Of course that is easier said than done!Boaz Gelbordhttps://www.blogger.com/profile/01493802980748650574noreply@blogger.com