Posted September 03, 2013
Software Security: Balancing Resources and Risks
Security and software have to go hand in hand, but not all teams are equally equipped. Some organizations retain security experts, some hire consultants, some use multitasking developers. If your company can’t afford a dedicated security expert or team, consider these points.
Software security practices vary greatly among companies depending on their stage of maturity, the industries they serve, and decisions made at business and IT levels. When budgets don’t allow for full-time security experts, businesses must decide who manages the risks.
Having a dedicated security staff doesn’t take developers off the hook. Rohit Sethi, VP at consulting firm Security Compass, said even when companies have resident security experts, developers generally outnumber them 200 to 1. The security experts tend to focus on high risk Internet-facing applications, leaving developers to handle the rest. Sometimes consultants are brought in to supplement existing resources, but even then developers need to be smart about security practices.
What’s Good Enough
Businesses are often reminded that software security is not optional. Aside from the headlines about multi-million dollar losses and the damage such breaches cause to brand identities, companies may have to beef up security to comply with a new regulatory mandate, rectify an audit, or prove to a customer that the company’s security practices are what the company claims.
“There are some companies, such as financial institutions, that are progressive about security because security is tied to their brand,” said Sethi. “In other industries, like retail and small independent software vendors, it’s less clear to the decision makers whether it makes sense to invest in security rather than features from an ROI standpoint. Some of them may not take security seriously because they don’t think their customers are sophisticated enough to make purchasing decisions based on the security measures their companies take.”
High-profile breaches appearing in the media typically involve large, brand-name companies. For every one of those breaches, countless smaller breaches go unreported. In the UK, more than 80% of small and medium enterprises (SMEs) were breached in 2012.
Gyutae Park, co-founder of Moneycrashers.com, an online investing community, said his small company has been fortifying its security practices out of necessity. “Hackers used to target big corporations and left the smaller guys alone, but that’s not the case anymore,” said Park. “The larger corporations have gotten much more adept at handling security so many hackers are now focusing on smaller companies.”
Because general awareness of software breaches has increased, incidents are down at some companies, particularly the large ones whose reputations have been marred by repeated breaches.
“Companies like Microsoft know that people are making purchasing decisions based on security,” said Security Compass’ Sethi. “If you look at Microsoft and Verizon you’ll see a decrease in total incidents because there is more knowledge about common security vulnerabilities.”
SQL Server injections are common but when Sethi used to ask training students which of them knew what they were, only one or two would raise their hands. Now about 10 people raise their hands because there is a lot of information about such attacks on the Web and in the media.
However, awareness and knowledge are not the same.
Risks Versus Resources
Balancing risks and resources isn’t easy since time and budgets are always limited, and not everyone in a decision making capacity understands the tradeoffs.
Automation is a fairly easy concept to sell to management because the ROI is apparent: More can be accomplished in less time with less human effort. That’s why automated network scanners, web app scanners, and patch management tools have become so popular. Automated tools are not designed to reveal all the potential vulnerabilities, however.
“If you rely on a scanner to find vulnerabilities and have no additional security measures you may be wasting your efforts because the false positives cost development time,” said Sethi. “Scanning solutions find about 40–45% of security vulnerabilities so you’re leaving yourself open to a lot of risk.”
Risk assessments are also popular, although Sethi said doing a risk analysis earlier in the lifecycle can save time and money. “When you find something in production it’s much more expensive than finding it earlier in the lifecycle,” said Sethi. “There are projects like the OpenBSD application security standard where you can reverse engineer to see whether your application has a security control or not. If your application lacks the control, figure out how much risk it represents. Then ask if you have a business case that justifies addressing the risk now rather than focusing on a feature. That way you can understand your risk without finding specific instances of it.”
Because the best security is invisible, security investments can be harder to sell to management than product features. Unlike product features, security is not usually linked to positive ROI. It is associated with potential losses. To overcome that hurdle, Sethi suggests demonstrating a breach.
“If you haven’t done any security analysis, find someone to do a vulnerability test and record it on video. Then show it to management and tell them what the impact would be, whether that’s losing customers or making page one headline news,” said Sethi.
It also helps to point to actual incidents that have affected similar companies including the cost of the breach. “Balancing financial and human resources with security risks is a challenge, but one thing the organization must consider is the potentially devastating costs of a security breach,” said Money Crashers’ Park. “When viewed in that light, the organization should pare down expenses in other areas to free up funds to bolster security procedures and staffing.”
Because it’s usually not practical to handle all security risks simultaneously, risks are typically ranked high, medium, and low so that priorities can be set. High priorities are addressed most immediately, medium priorities are addressed later, and low risks are addressed last, if at all.
“When a business person is deciding to accept a risk or not, they’re assessing the likelihood that the software will be hacked,” said Sethi. “Low-risk vulnerabilities are generally accepted with the caveat that some will get exploited. The best approach is to ask how valuable your data is and what would happen if it was compromised.”
He also said it’s wise to get signoff on the prioritization of risks since a business person ultimately has to decide whether to focus on a feature or a security vulnerability.
Balancing Internal and External Resources
In the absence of a breach or a regulatory mandate, bias may determine whether or not an organization uses multitasking developers, consultants, or a combination of the two. When organizations rely on developers, it is usually the lead developers who end up in the training sessions, Sethi said.
“When one of those developers grows into the security expert it’s going to pay dividends over time,” said Sethi. “If you hire security consultants or third parties, you’ll still need security expertise when they leave.”
Security certifications are one way to verify knowledge but in the absence of a budget and approval for that, developers should start acquiring knowledge any way they can, including free online resources. “Most shops are way behind on features and don’t have the budget to invest in training for anything. You have to start somewhere so make sure people are taking training and learning from it,” said Sethi. “You can pave a path to certifications but the important thing is to get started. Since new time doesn’t exist, anything is better than nothing.”
In-house expertise also proves valuable when consultants are hired because someone has to understand what the consultants are doing, what the results are, and whether the company is getting value for its investment. Before hiring a security consultant, Sethi said, ask the following questions:
- Do you have a development background? If not, the consultant may not know how to translate security speak into development speak.
- Do you have references? The consultant should have relevant experience and references that are willing to talk.
- Are your methods repeatable? Some security consultants are “artists” who love hacking, hate constraints, and don’t like being told what to do. While constant innovation is the mark of a great hacker conference, in enterprise settings repeatability is important.
- Can you explain your approach? They should be able to tell you what they looked for and what they didn’t look for, as well as the constraints of a penetration test.
- Will you tell me how to remediate the problem? Identifying vulnerabilities is only the first step in resolving them.
“Understanding the vulnerabilities of Java, .NET, and Ruby on Rails is not rocket science. You can train a developer on these things in six months to a year,” said Sethi. “I’ve walked into development teams in which one developer decided to take on security and knew as much as a security consultant would because they spent time on it.”
Bottom line: There are many ways to handle security. The trick is balancing risks and resources in ways that are in the best interest of the business. Regardless of how security is handled, it is wise to have some level of expertise in house to fight the battles that need to be fought and to ensure that third-parties are delivering value for the money.
“Organizations must proactively address security risks, not just after a breach occurs,” said Money Crashers’ Gate. “You’ve achieved a good balance when you can thwart hacks and other breaches.”