Application security can sometimes feel like a burden – should errors be discovered while a product is pushed through this vital gate, it sets the entire project back.
Yet, leaving it too late can seriously drive up the cost of identifying and addressing security vulnerabilities. Indeed, should you discover an error in an app’s coding phase instead of initial planning, it would cost five times as much to fix. Leave it till the component testing phase and you’re looking at 10 times the cost. And post-release? 30 times – a 3,000% increase.
But why does it push the price up so much, and what can you do about it?
Why detecting errors too late can drain your budget
This question can be answered fairly simply. The longer you leave an app in its development, the more work your team completes. The more work the team completes, the more needs to be undone should the security gate encounter a critical error.
Every minute spent on this process, from initial development to finding the error to fixing it, costs money. And, in a worst case scenario, if you don’t find the bug until after release, then you can add an enormous extra amount to those costs – product recalls and PR to name just two.
Read more: “How to respond to a cyber breach“
Case study: Equifax
Equifax is a prime example of worst case scenario. Back in 2017, the Equifax incident was one of the world’s largest known data breaches. Attackers managed to access the company’s disputes portal via a vulnerability, which meant they could view and steal sensitive documents that were used to resolve customer disputes. All totalled, hackers managed to compromise the personally identifying information (PII) of up to 145.5 million individuals.
So how much did it cost Equifax? Well, most notably, the lawsuits that ensued settled at at least US$575 million. But settlements were not the only cost, for Equifax would have also had to pay to:
- Investigate the breach.
- Notify customers.
- Deploy mitigation measures and patch the hole.
- Try to recover lost business – a major client, the IRS, terminated its contracts. Not to mention bad customer favour.
What is the key takeaway here? For any company, and especially any company that holds PII, letting security errors go undiscovered simply because detecting them was too time consuming is a recipe for disaster. Integrating security into the entire development pipeline is therefore vital to reducing the cost of detecting vulnerabilities.
The better way: Understanding the best practices of application security
So we know that security cannot be left until too late or else it will drive up costs to the tune of 3,000%.
We just mentioned the idea of ‘integrating security’ into the CI/CD pipeline, but what would that look like?
Integrate security into DevOps
DevOps helped revolutionize app development, and now DecSecOps can revolutionise DevOps.
To be considered fully ‘integrated’, security must be considered as a part of each stage of continuous development. In this world, there is no single security gate because the security team is continuously monitoring, verifying and adapting to security errors as they are discovered.
Instead of finding an error, realizing you can’t release the product and then going back through each phase to figure out where it all went wrong, there are only small things needing reworked or adjusted at each phase. In most cases, security will simply be there to confirm that the risk is tolerable versus the opportunity. But, security must start at the design phase (and flow on through the rest of the CICD cycle) for this to work.
Adopt common industry frameworks
Frameworks exist for a reason. They’re here to standardize the act of improving app security, guide security teams on best practice and provide ideas on potentially new ways to counter threats.
So what are some common frameworks to consider?
- OWASP SAMM v2: The Software Assurance Maturity Model from OWASP helps organizations assess, formulate and implement software security strategies through a self-assessment model. It can guide teams on software practices and provides tools to use to create assessments, roadmaps and benchmarks.
- BSIMM v11: The Building Security In Maturity Model (BSIMM) framework is designed to help your team understand and plan (as well as measure) a new software security initiative. It uses real-world data from leading software security providers to help users follow some of the success that other organizations have already had in this space, including using shorter release cycles, automation and software-defined infrastructure.
- ISF AppSec Framework: This framework, from the International Security Forum, was developed to help companies improve their security at all stages of an app’s life. It outlines a number of best practice guidelines, and is supported by an iterative approach that ISF members can use to incrementally improve their software security across portfolios.
You may also find when looking for security partners that some companies have devised their own frameworks. To use ourselves as an example, at dig8ital we’ve taken the best aspects of each of the common application security frameworks and combined them into a ‘best of both worlds’ service; by taking components from each framework, we can offer a more versatile, tailored service without sacrificing any quality.
Read more: “What is security architecture, and what do you need to know?“
What can I do right now that will make an immediate difference?
All of the above takes time. So what can you do right now that could make a real difference to your organization’s security?
Ask questions. The act of asking the right questions to the right people kickstarts the change process in a healthy, constructive way. Gather your teams together and ask them four critical questions:
- What are we doing?
- What could go wrong?
- What are we going to do about that?
- Did we do a good enough job?
Some of these questions might seem easy at first, but soon you will start to encounter more difficult concepts:
- Have we identified all that could go wrong?
- Have we identified the best possible mitigation strategies for our foreseen security issues?
- How do we know that we have done enough?
Challenges to expect on this path to change
Resistance: With all change there is resistance. Your people may not want to move away from a system with which they are familiar, and your organizational structure might not easily adapt to the new changes. But everybody – dev, business, ops – must own their responsibility to deliver secure products. This could require new training, adjusting org structures, assigning champions to help promote change and focusing highly on education. You know why this needs to be done – they need to know, too.
Lack of experience: Expertise makes a real difference, and if your organization is doing all of this for the first time then you may simply lack the real-world knowledge of security best practice that is vital for a smooth transformation process. This is why so many organizations turn to a third party to help them with their security, to tap into that experience while they build it in-house.
Expectations: You can’t expect this process to move quickly. Change takes time, effort and cost. And if you don’t quite have the knowledge or skills to back up your ideas, it may also prove a challenge to get buy-in from the leadership team (another potential setback). On top of that, you can’t expect to start changing one aspect of your security and see the rest fit into place. Application security must start from several points, because there will already be some changes in the pipeline, and some products that have gone out to production.
What comes next?
If you want to drive down costs in your organization, you need to act now. Changes to your company culture, catching up with modern technological advancements, integrating security into all of your business processes – each will be as vital as the other if you want to become a truly secure business.
With the right expertise, you could drive these changes more effectively. And that’s where dig8ital comes in.
We have real-world experience across industries guiding organizations through this transformation process. We can help you avoid the mistakes of others while finding ways to get the most out of the unique aspects of your business.
To learn more about application security, sign up to our webinar here. Or, for a free maturity consultation, contact us today.