It does cost more to produce a secure product than an insecure product.

Most people will still shop somewhere, go to a hospital, or enroll in a university after they have had a data breach.

Why do we spend on security?  How much should we be spending?

• Security imposes extra costs on organizations
• The "security tax" is relatively well knnown for network and IT security - 5 to 10% (years of Gartner, Forrester, and other studies)
• No comparable data for development or web apps
• Regualtions and contracts usually require "reasonable measures".  What does that mean?

OWASP Security Spending Benchmarks Project

• 20 partner organizations, many contributors
• Open process and participation
• Raw data available to community

Reasons For Investing in Security

• Contractual and Regulatory Compliance
• Incident Prevention, Risk Mitigation
• Cost of Entry
• Competitive Advantage

Technical and Procedural Principles

• Managed and Documented Systems
• Business-need access
• Minimization of sensitive data use
• Security in Design and Development
• Auditing and Monitoring
• Defense in Depth

Specific Activities and Projects

• Security Policy and Training
• DLP-Type Systems
• Internal Configurations Management
• Credential Management
• Security in Development
• Locking down internal permissions
• Secure Data Exchange
• Network Security
• Application Security Programs

The 10000' View For Most Organizations

• Legal and Regulatory Compliance: Because we have to
• Incident Prevention, Risk Mitigation and Cost of Entry: Because this is what everyone else does
• Competitive Advantage: Really?

Regs are Not App Sec Friently...

• Regulations, contracts, and RFPs are usually based on the notion of "reasonable effort" - state regulations, HIPAA, FTC, SEC, Red Flags Rule
• When regulations do get technical, they focus on old school security fetishes like firewalls, SSL, encryption, biometric passes and server rooms

A Few Examples

• PCI Prioritized Approach
• Massachusetts 201 CMR 17.00
• The encryption exemption in state data breach notification laws
• HIPAA Notification Form
• Recent SEC Action
• Most of the contracts/RFPs/Vendor security whitepapers I have seen...

A Real World Example of Where Your PII Lives...

• Small company with a few dozen employees sells widgets over the Internet
• Pay an outsourced team to develop a Joomla/Drupal/whatever site to build a widget-lovers community where users can connect.  All sorts of PII involved in the app
• They deploy their site on a shared hosting/VPS model and basically only interact with the App from a web admin interface
• They know a bit about the technical details of their app but not much.  Actually, no actual web developers were really involved in the building or deployment of the app

Here is What Company A Did...

• Asked their developer team in India to develop code securely.  Referenced OWASP Top 10 or similar list.
• Told their dev team that services and DB users needed to run with minimum privilege.  Dev team balked.  Company A agreed to pay a bit extra.
• ...
• ...

Here's What Company B Did...

• Installed anti-virus on all employee machines
• Bought a firewall for the corporate network
• Maybe even got two-factor tokens for network access
• Made sure everything is going over SSL everywhere,.
• Put a biometric reader in the data center
• Encrypt all laptops

Company B is more likely to be in compliance with state laws and other regulations.

Company B is also more likely to suffer a data breach.

So the only thing left to finance your application security program is the "reasonable spend" argument...

As a community we need to get some consensus on what constitutes a reasonable spend...

About the OWASP Security Spending Benchmarks Project

• First survey focused on general web application spending.
• Second survey focused on cloud computing.
• Responses currently being gathered for third survey
• Approximately 50 companies profiled in each case
• We do not collect IP addresses
• Most of the partners are security vendors
• Relatively small respondent base
• Meant to stimulate a discussion on security spending benchmarks

Percentage of Development Headcount Spent on Security

• 41% had less than 2%
• 20% had 5-10%
• 18% didn't know
• 10% had 2-5%

Percentage IT Budget on Web Application Security

• 33% don't know
• 24% had 5-10%
• 12% had 1-5%
• 12% had 10-20%

Organizational Responsibility for Security Reviews

• 67% in IT Security

47% of companies surveyed provide developers with security training via internal resources.

• Organizations that have suffered a public data breach spend more on security in the development process than those that have not.
• Web application security spending is expected to either stay flat or increase in nearly two thirds of companies
• Half of respondents consider security experience important when hiring developers

Cloud Summary

• SaaaS is in much greater use than IaaS or PaaS.
• Security spending does not change significantly as a result of cloud computing.
• Organizations are not doing their homework when it comes to cloud security.
• The risk of an undetected data breach is the greatest concern with using cloud computing, closely followed by the risk of a public data breach.
• Compliance and standards requirements related to cloud computing are not well understood.

Future of Project

• Currently collecting responses for the third survey
• Partners assist in promoting survey, analyzing results, and providing strategic input
• Current status of project can always be found on OWASP website
• New partners are always welcome