Application security is a business problem.
Nearly 70% of hacks occur at the application layer, but only 2% of IT budgets are spent on application security. This imbalance leaves a huge attack surface unaddressed. What are Fortune 500 security leaders doing to close this gap?
Jamil Farshchi, CISO of Time Warner, and Fares Alraie, Senior Director of Product Security at a leading global payments technology company reveal their approach to application security in an exclusive webinar we co-hosted with Information Security Media Group (ISMG).
Here are the highlights:
Early security is better security
For a while, firewalls were thought of as the only way to protect today’s complex modern application environment. But it’s easy to bypass firewalls.
The first step to withstanding attacks is to implement a Secure Software Development Life Cycle (SSDLC) program from the get-go. Proper SSDLCs support the fast pace of development and reduce margins of error with secure coding, scanning, and testing tools. The sooner you integrate security, the faster you can deliver to market. Otherwise, you confront high costs and efficiency breakdowns finding and remediating vulnerabilities post-production.
Testing and visibility does not = attack-resistance
The bad news? SSDLCs are difficult to implement. First, code analyzers and security testing tools today identify -- but do not fix -- vulnerabilities (big difference). Second, knowledge is not necessarily power in this case: after the testing phase, the business burden that is application security falls on developers, who are not security experts by training.
Proper application security should not burden agile development. Fortunately, there are new, SSDLC-friendly application security technologies like Runtime Application Self-Protection (RASP) that provide significant ROI by lowering risk, expediting time-to-market, and relieving the strain on internal resources.
So how do you make the business case for such modern application security solutions?
Making the case: What's your appetite for risk?
Enterprise executives -- not just CISOs -- manage risk. The process for obtaining buy-in for application security is a function of risk management.
Here’s the approach that Jamil and Fares discuss in the webinar:
Make business fluency an organization-wide priority. Ensure all departments understands how your organization creates and measures business value.
“[I]t’s really about having a team that is armed with how the business creates value, and what is critically impactful to the business itself. With security folks, you often get individuals who are deeply knowledgeable about vulnerabilities and their protection mechanisms, but aren’t quite as familiar with how the business operates, what the business processes actually are, and how value is generated.” - Jamil Farschshi, CISO of Time Warner
Characterize risk and establish universal terminologies. Understand the criticality of your assets and the value of threat detection or prevention. Calculate the full brand and dollar impact of an insecure environment. Integrate risk terminologies into the lexicon of the organization as a whole so that everyone is speaking from the same context.
Communicate these risks to the business and set an acceptable threshold. Businesses rely on their applications and data to create value. When vulnerable applications pose serious risks, seek full immunity against data leakages and other breaches. Aim for active prevention, not just visibility, and demonstrate to the rest of the organization how it promotes business growth.
“Dialogue is essential. Sure, we all know that we need to be better, faster, cheaper. But at the same time we need to make sure we’re not taking undue risk when we’re building an application and taking it to market. So I think if you have a meaningful program in place where you’re able to identify those risks, communicate them effectively, and describe what the impacts may be, you’ll be able to find that balance between supporting and enabling the growth of the business as a whole while at the same time managing risks appropriately.“ - Jamil Farschchi, CISO Time Warner
Empower developers to embrace security early-on. Make security “business as usual”. This can be done by creating a security ambassador program or joint task force for application developers to merge and broaden skillsets, or by giving actionable visibility on vulnerabilities or frictionless automatic runtime self-protection tools.
“At the payments company I was previously with, we had a Security Champions program where we empowered developers to be our advocates and built goodwill ambassadors from inside the development organization.” - Jamil Farschchi, CISO Time Warner
“It is essential for the modern security organization to get business involved in building the application security program itself. You want them to be stakeholders and partners. You want them to feel that they are doing the right things with you, and that you’re not coming in to police them to say ‘thou shalt do A, B and C.” - Fares Alraie, Senior Director of Product Security at a global payments technology company
Meaningfully measure your program and effectiveness. Adopt a maturity model and regularly assess what’s working to drive value, how you’re managing risks or saving costs, and where there are weaknesses. Drive a dialogue with the business and communicate these learnings as a value-add to the shaping of a product roadmap and/or risk profile.
According Jamil and Fares, modern application security is vital to a strong business trajectory. While it should be centrally driven by a security team or leader, all business stakeholders have a vested interest.
Watch the full webinar recording below:
If you have any questions/comments or would like to take a closer look at Prevoty’s RASP offerings, please contact us.