How to create an effective application security budget for your organization

by | Mar 3, 2020 | AppSec Classroom

Share This Story, Choose Your Platform

Cyber security is a broad area, including several items such as network security and application security. If you are a CISO responsible for the cyber security budget, you know that proper protection is key. Cyber attacks can cost your business more than a million dollars, and that number is based on conservative estimates. The real cost of an attack includes damage to your reputation, future lost sales, and plummeting stock prices.

In this post, we focus our attention on application security, sharing our top 5 tips for an effective application security budget. Our goal is to help you get the biggest bang for your buck to maximize application security as part of a comprehensive cyber risk management program.

5 tips on how to create an AppSec budget

Tip #1: Build in application security from day one 

We cannot stress the importance of this best practice. AppSec tools should be run constantly throughout development. It takes a lot less time and money to fix issues as soon as they arise. 

That way, vulnerabilities are addressed immediately—before the next stage of the build—so you have less code to change. Catching issues during development also saves you from the reputational damage that comes with an attack.

Tip #2: Use a combination of open-source and commercial AppSec tools 

A comprehensive application security program includes the use of a variety of AppSec testing tools. Best practice is to use a combination of Static Application Security Testing (SAST) tools, Dynamic Application Security Testing (DAST) tools, Interactive Application Security Testing (IAST) tools, and threat-modeling tools, as well as penetration and manual testing. 

Using such a large number of tools can eat up your AppSec budget, so we recommend going for a combination of commercial and open-source tools. Use open-source tools such as OWASP ZAP wherever possible. Turn to commercial tools for those areas that are still not getting the vulnerability scanning needed for a secure application. Consult this resource from OWASP for more information on open-source application security testing tools to make sure you use them properly and whenever possible. 

Tip #3: Leverage the power of metrics 

AppSec metrics allow you to see how security is improving over time and helps developers perform their jobs more efficiently and effectively. You’ll be able to show your managers that the number of new vulnerabilities found is decreasing, even as new code is being written. 

Metrics on the types of vulnerabilities most often found will help you strike the right balance as you allocate your budget. You will be able to identify the more severe threats, which require immediate attention and may demand more resources. You will also be better able to monitor the ROI of your efforts. 

Tip #4: Hire skilled workers and provide education 

Qualified employees demand a higher salary, but it will save you money in the long run. Employees who are properly trained in application security testing and remediation will know how to address an issue swiftly and accurately, reducing the cost associated with an attack. 

You’ll also want to consistently educate employees (no matter how qualified they are) about the importance of application security. It should be clear that it’s not ok to let potential threats or vulnerabilities go unattended, even if a deadline is looming. 

We often find this calls for a mentality shift that requires CISOs to demonstrate through their actions how important application security is. For example, if developers have a looming deadline for the next phase of a project, but an important security vulnerability is found, you can show your commitment to AppSec by pushing the next deadline back on the build so the vulnerability can be addressed first. 

Tip #5: Use an application vulnerability manager to save time and money 

An application vulnerability manager streamlines the AppSec process, allowing your team to keep pace with development timelines without letting security fall through the cracks. This tool ingests and correlates the results from the wide array of AppSec testing tools your team is using (saving your team from the time-consuming hassle of manually sorting through results). 

It de-duplicates results and provides one clear single report to show you which threats are real and the most likely to be exploited. You can easily prioritize vulnerabilities and make informed decisions about where to spend your budget. 

An application vulnerability manager also enables your developers to address issues within their preferred working environment. If you have someone working in Eclipse, for example, they can view, address, and report on security issues and then get right back to work. Integration into their workflow saves time in the remediation process. You can also automatically select and run a number of open source SAST tools and third-party analyzers, making sure you leverage as many free tools as possible.  

It may seem like an insurmountable obstacle to create a comprehensive application security program that fits within your budget. The right blend of people, tools, and processes, however, does make it possible to create an effective AppSec program that directs your budget to the right areas.

Share This Story, Choose Your Platform