Secure Application Development - A Preventative Approach That Pays

A new research report from Aberdeen Group discusses the integration of secure application development tools and practices in enterprise organisations.

The report Security and the Software Development Lifecycle: Secure at the Source examines the strategy of integrating secure application development tools and practices into the analysis, design, implementation, testing, release and deployment stages of application development i.e. more of a controls based approach than verification. This is in contrast to two other strategies Aberdeen had defined — Find & Fix (the use of application vulnerability scanning and penetration testing methods to identify security vulnerabilities in production applications), and Defend & Defer (enhancing the security of applications through the use of web application firewalls and application-level proxies).

Aberdeen had noted that whilst all three strategies provided a positive return on investment, Secure at the Source (i.e. prevention) was the least commonly implemented, and provided the greatest return: "a very strong 4.0 times return on their annual investment". The conclusions were based on a survey of 150 enterprise organisations, each with an average of about 130 deployed applications, of which around 40% were business critical applications. But the financial figures need to be understood.

These organisations spent on average $400,000pa on application security initiatives (i.e slightly over $3,000pa per application on average) including both technology and people/process aspects. Secure at the Source required greater investment, but realised a higher return because more application vulnerabilities were identified and remediated prior to deployment. The report states the average cost of remediating a single application security incident is about $300,000 but it's not clear exactly what this includes, or excludes.

These are dramatic numbers. The $300,000 has a large influence on the calculated four-fold return on investment. I have mentioned budgets (e.g. The Value of Security in Your Organisation, Seven Information Security Reports) and security in the development lifecycle (e.g. Enterprise Security Survey 2011, Real World Enterprise Application Security Programmes, Security Development Lifecycle for Agile Development, All About Web Application Security Programmes, Building a Software Security Assurance Programme) in previous posts. But prior to now there has been little data available on the return on investment, which makes this new report very welcome. And, it actually seems to support a similar return on investment for enterprise data protection (much broader than applications alone) identified in a 2009 report (Business Case for Data Protection, Study of CEOs and Other C-level Executives) by the Ponemon Institute, of up to 4 to 1 in organisations that assessed this aspect.

Of course you don't need to have incidents that cost on average $300,000 to justify application security investment, you just need to spend proportionately. And the benefits of Secure at the Source may also include having greater enterprise security intelligence (ESI) or benefits to end-users such as greater safety, privacy, data integrity and availability of the process.

The Aberdeen report may not be able to tell the whole story however. Firstly, some application security techniques do not fall neatly into the three-way strategic split used in the analysis. The best example of this might be application-layer intrusion detection, which is built in during development, and dynamically defends against attacks in production, and is also a method of finding unknown vulnerabilities which attackers are attempting to exploit. Secondly, although I'm sure it's not meant to be a definitive list, the "solutions landscape" included in the report is rather patchy in its coverage of SDL tools and practices. Lastly, details of the business' locations and sectors were not provided, so it is difficult to make more general comparisons.

But even with these slight concerns, enterprises and smaller organisations will be able to learn much from the report, which is currently free to download, upon registration.