The current state of application security practice is grim.

As the enterprise gradually extends out into the world via the Internet, organizations are increasingly exposed to the risk of fraud, revenue loss and damage to their reputation through the misuse of their homegrown or packaged software applications.

How can businesses determine the cost versus the benefits of securing their applications? That question, once seemingly simple, becomes practically impossible to answer when put into the context of the risk posed to the future of the operation from nebulous variables such as malicious hack attacks.

To help businesses make such difficult calculations there is an emerging school of thought known as 'return on security investment' (ROSI). The basic concepts have been around for years, but the industry as a whole is finally beginning to pay attention to the principles contained in this evolving body of work.

The basic tenet of ROSI is that security investments cannot be measured using traditional cost-benefit models, because the threat from security risks is so varied that it cannot always be defined or quantified. Although actuary data has not been collected for a sufficiently long period of time, applied research shows that the business risks against which adequate information security may protect businesses vastly exceed the investment in planning and implementing a well-balanced information risk management and security policy.

What ROSI seeks to offer companies is a mathematical interpretation of various data sets to assess risks and help define the threat more clearly. In this way, we can go some way towards quantifying the risk posed to any given organization, and the concomitant return upon security investment made by said organization. This data is required because, even in a world clamoring for security, the reality of corporate budgets and the necessity of productivity gains dictate the need for clear justification for each and every expense.

Security is rarely an end goal unto itself. Instead, security is a means to achieve other goals such as software quality, reliability, flexibility and reputation protection.

The Current Market

Security is most often equated with creating a fortress around one's data, which is a very dangerous assumption in today's highly interconnected world. The focus upon this model of security has led to a dangerous reliance upon firewalls and other network infrastructure elements as the endgame for purportedly security-conscious organizations.

In order to be truly secure, a company must assess and review each and every element of its IT infrastructure. Strangely, the very applications that are most crucial for generating revenue and creating competitive advantage - the core of most businesses' very existence - are most frequently overlooked during a security review.

@stake analyzed 45 e-business applications to profile the state of application security as it is practiced today. The applications themselves were the focus of the research for two reasons: application-level attacks can traverse most firewalls with ease, and as Willie Sutton, one of America's most famous bank robbers, once put it, "there's where the money is."

The applications analyzed were responsible for generating $3.5 billion in revenues for the clients in question, and the data was gathered over an 18-month period (from February 2000 to July 2001). Applications in the analysis included commercial packages from leading software companies, middleware platforms and end-user e-commerce applications.

The research reveals empirical detail on nine classes of common security flaws that cause applications to become insecure. The findings also indicate that 70 per cent of defects found within the applications originate at the design rather than the implementation phases of the software life cycle (i.e., they could have been avoided with more careful design procedures). Moreover, nearly half (47 per cent) of application security defects should be regarded as significant design flaws, meaning they are both readily exploitable and could cause significant loss of reputation or revenue.

In total, it is estimated from this and other research that 30-50 per cent of the digital risks facing IT infrastructures are due to flaws in commercial and custom software.

There is a Better Way

But implementing security and measuring its return doesn't have to be a gamble. Further research clearly demonstrates the tangible return on investment from moving security further up the value chain to the design phase of any project or application. There is no network or application as secure as the one into which security has been designed from the outset.

According to software quality assurance empirical research, one dollar required to resolve an issue during the design phase of an application grows into $60 to $100 to resolve the same issue after the application has shipped. In applying the principles of secure software engineering to the development of a typical application, some very compelling ROI figures emerge.

Findings indicate that significant cost savings and other advantages are achieved when security analysis and secure engineering practices are introduced early in the development cycle. The ROI ranges from 12 per cent to 21 per cent, with the highest rate of return occurring when analysis is performed during application design (versus either implementation or testing).

In one example, the cost of fixing four security defects found in a typical enterprise-class application totaled $24,000 during the testing stage. If the defects had not been discovered until after deployment, the cost could have soared to nearly $160,000 (excluding indirect costs such as loss of trust or public relations expenses).

What Can Application Developers Do?

The research conducted by @stake revealed nine common classes of security flaws within applications, but all applications are not created equal. Within the set of applications analyzed, the best-designed ones only one-quarter of the security defects of the worst. As a result, these applications carry 80 per cent less business-adjusted risk than the least secure.

From this data, there are six key patterns that emerged as defining best practice for application developers:

  • Early design focus upon user authentication and authorization (62 per cent of applications in the research suffered in this category).
  • Mistrust of user input (input validation errors plagued 71 per cent of the applications in the sample).
  • End-to-end session encryption (session hijacking was possible in 31 per cent of the applications).
  • Safe data handling.
  • Elimination of administrator backdoors, misconfigurations and default settings.
  • Security quality assurance.

What Can End-Users Do?

As noted before, not all applications are created equal. While the developers themselves have a burden of compliance, there are also steps that end-users can take to help mitigate the inherent risks of the software that they use.

Our research has shown that the least secure applications carry approximately six times as much business risk as the most secure. Companies should take the following six steps to help protect themselves against insecure products:

  • Stop depending upon the firewall
  • Act up
  • Educate application developers
  • Assess early and often
  • Engage finance and audit
  • Get outside help

The Bigger Picture

We have established that ROI is difficult to quantify directly on an operational basis when dealing with investments in security. But we have also presented a strong case for making security a priority, both at the application development level and at the end-user organization.

Effective security is not only about prevention; it's also about preparation. The ability to mount a timely and appropriate response to incidents is a crucial element of the equation, and one often overlooked by companies when evaluating the return on their security investment. The simple truth is that it is impossible to fully secure any business against attacks (don't believe the hype!). Implementing policies, procedures and systems that give your company a fighting chance of recovering quickly and effectively from an attack is - in real terms - invaluable.

But security is not 'one-size-fits-all,' even though many vendors make the claim to help sell their packaged solutions. Taking the right approach to security is paramount when dealing with the issue. Aligning appropriate policies and solutions to the business model and IT infrastructure yields not only the best security, but also the most cost-effective security with both top- and bottom-line benefits.

Recent research from @stake reveals that, in addition to providing the obvious benefit of appropriate security, custom-tailored security solutions can actually increase network throughput by 3 per cent or more. This quantifiable benefit is supported by softer benefits such as decreased maintenance costs and increased revenue (not to mention the reduction in successful attacks).

Together, these big picture facts go some way towards making the ROI case for security.

Summary

Security should not be viewed just as a cost center against which return must be measured in day-to-day operations. In addition to being mission-critical for just about any organization today, an appropriate approach to security can have a 'benefit halo' for the organization as a whole. The main metrics of adequate ROSI are based on higher productivity and the management of risk, including catastrophic business failure.

Security flaws designed into packaged software are common and extremely dangerous. These faults can be exploited to launch attacks against an organization that is otherwise extremely secure. Thus, without a proper understanding of the risks posed by off-the-shelf software packages, one could arguably claim that the return on all other investment in security at end-user organizations is greatly diminished.

Genuinely secure computing requires a holistic approach and is never complete - it demands constant attention and assessment. The good news is that, in addition to securing the organization against threats internal and external, security often presents ancillary benefits that increase the overall value returned on the investment.

The return on security investment will continue to be extremely difficult to quantify, but in the end the case for security is generally more compelling than the argument against it (i.e. staying in business versus going out of business).

Bob Ayers is director of business risk services, @stake (www.atstake.com). He may be reached at londonfd@atstake.com.