As they are, regulations and compliance obligations originated from well-meaning intentions designed to protect companies, their customers and partners from security breaches that have occurred over the years. The issue in today's security environment is the bad guys are fully willing (and quite capable) of shifting their strategies as often as they need to. This is, quite literally, their full-time job.
Chasing the bad guys' methods around by adding to an ever-growing and costly compliance checklist new security controls that maybe “would have helped” has a very nasty side effect – it builds up a never-ending and expensive compliance checklist. These checklists force companies to build safeguards and processes based on outdated technology, raising the security budget each year in both hardware/software costs, as well as human resources. This approach no longer makes sense (if it ever did) in the current state of the internet security industry
Adding insult to injuring, the groups managing the various compliance standards never fess up publicly to their shortcoming, and share any breach data that might help the industry understand what's working and what's not. Imagine a doctor prescribing medicine to a patient, but never taking the time to learn if the patient's health improved or got worse as a result.
Companies need to invest in security solutions that create good security outcomes directly related to the way the business invests in its IT solutions and products, rather than using blanket compliance standards that may not make sense for them. For example, if the business is investing a bulk of its IT spending on network infrastructure, it would be only natural for them to use their security budget protecting those network-based assets. If the lion's share of IT dollars are allocated toward software and software development, obviously, IT security should invest heavily in software security – why would it be any other way?
Hack yourself first or wait for the bad guys to do it
Even with all the compliance obligations firmly in place, organizations absolutely must have a way to measure security gaps, because there will be some. The approach I've recommended for years is a concept I call “Hack Yourself First.” You might be more familiar with the term “vulnerability assessment” or “penetration-testing,” but those names don't articulate the reason for why they are important.
The bad guys will test and attack systems on a daily, even hourly, basis. The best way to know what vulnerabilities are most critical is to hack your organization the same way the bad guys will. This process allows businesses to locate the areas of weakness and get them resolved before a catastrophic event occurs.
As the headlines and most security reports show, one area of specific neglect for big business is website and application security. Think about the way the web works today: Individual business units create new websites – often without involving a security team; acquisitions and mergers quickly add new sites to a company's roster; one-off promotional websites proliferate faster than people can count; and agile software development has new code rolling out at a blistering pace.
This is today's web-centric enterprise, where identifying hundreds, thousands or even tens of thousands of website assets within an organization can be a daunting task. A new set of metrics needs to be put in place to help organizations evaluate their web security programs and determine progress, exposure and ROI
The following six web application security metrics create a framework to evaluating your entire web security program for measurable results. By using web-scanning tools to “Hack Yourself First,” and show where your company is exposed, you will achieve the following:
- Discoverability (Exposure)
- Exploitability (Threat)
- Impact severity (Risk)
- Vulnerability input (Pulse)
- Window of annual exposure rate (Frequency)
- Reduce remediation cost per defect (Savings)
These are not new ideas, but are often not prioritized mandates internally at organizations because of other more “official” security parameters. This must change.
Make security visible: Publish security metrics internally
To get everyone in the organization on board with security, which is almost never easy, program metrics and transparency is vital. Establishing a set of meaningful metrics the organization wants to improve upon, measure the metrics frequently and, most importantly, publish them internally by development group or business unit for others to compare. This is where “Hack Yourself First” meets “Make Security Visible.”
By making security visible to the stakeholders, you'll find what many others have already found: The leaders at the top will feel their work is being appreciated and will want to keep their position. Good security remains constant and strives to improve. Those groups further down the list, perhaps nearer the bottom and most likely to be compromised, will be innately compelled to move up. Measurably weaker areas of the company are exposed where corrective action can be taken. This makes for efficient investment of scarce security resources.
Don't let the bad guys know your vulnerabilities better than you do. Hack Yourself First.
Jeremiah Grossman is the founder and chief technology officer of WhiteHat Security. He will be hosting an interactive Twitter event at RSA, an hour of chatter, followed by some prize giveaways: bit.ly/xYFlK7 <http://t.co/4qmJkLzO>