Jeremiah Grossman
Jeremiah Grossman
For the last several years, data compromise has been a key driver of the web application security market. Security budgets are often justified through risk management, closely related to loss avoidance or boosting the bottom line (income after expenses). More hacks translate into an increased security budget. “We must spend $X on Y so that Z never happens again, which would save us an estimated $C in incident-related loss.” We can thank mass SQL injection worms for the wake-up call.

Recently, however, I'm witnessing a shift that may signal the start of a trend. Security spending is now being justified because it directly affects the top-line (income before expenses), specifically for companies focused on cloud computing. “If we spend $X on Y, we'll make customers happy, which has an estimated financial upside of $C for our organization.”

A big part of my job is speaking with customers, many of whom provide software-as-a-service (SaaS) solutions for IT outsourcing – a fast-growing market as organizations look to cut costs. I'm hearing more stories of prospective enterprise customers concerned for the safety of their data, putting these vendors under the security microscope. Enterprises understand it is their reputation on the line should anything go wrong, even if the vendor is to blame.

If a would-be cloud/SaaS customer is concerned about security, then security should be the vendor's concern as well. Unless the vendor is able to meet a customer's minimum requirements, they risk losing the business to a competitor who can.

This market dynamic encourages the proper alignment of business interests and establishes a reasonable baseline security bar. Another side benefit of this business model is that multi-tenant systems are at least as secure as the most demanding customer. Security investments meant to satisfy one customer directly benefit the rest.

To manage the risks of outsourcing, many enterprises are requiring SaaS vendors to pass a web application assessment prior to closing the deal. If the vendor already has a reputable third-party firm providing such assessments, then those reports will usually satisfy the prospective client, if they are clean. If not, then the enterprise will engage an internal team or third-party assessment provider at their expense.

The consequences of weak cloud security are real and potentially devastating to a business. If serious issues are identified, which is fairly common, the best-case scenario is that the sales cycle slows down while the vulnerabilities are fixed. This could take weeks, if not longer, and initiate disruptive fire drills that pull developers from strategic projects in order to fix vulnerabilities and close near-term business.

In the worst case, accounts may be lost due to loss of customer confidence, or word could spread that a vendor's security is sub par, causing irreparable damage.

For this reason, the move to “the cloud” incentivizes organizations to make a substantive investment in web application security or risk losing business from savvy customers. And, after vendors put a program in place, the investment can be used as a competitive advantage. Vendors will volunteer their security reports and program details upfront to prospective customers. As enterprises shop SaaS payment processors, e-commerce hosting and financial applications, they will expect to receive the same disclosure from all vendors, who may not be in a position to deliver.

Security managers should take the time to ask the sales department how often “security” is a part of the buying criteria for customers. This could be an excellent opportunity to align your goals with the business.


Jeremiah Grossman is founder and CTO of WhiteHat Security, and a co-founder of the Web Application Security Consortium (WASC).