Sep 19, 2018
When it comes to application security, what you measure is almost as important as what you do. If you aren’t measuring your efforts by tracking and analysing your results, you will end up with an incomplete and ineffective program, without the support, funds or focus required to protect your organisation against security breaches. Today I’m looking at 3 risks you run by not properly measuring the efficacy of your application security program.
1) Your Security Team Receives Insufficient Funding
When your executive team makes decisions on how they’ll allocate company budgets, they don’t base it on assumptions or guesswork - they base it on performance metrics and cold, hard data.
If you’re not measuring your application security program, you don’t have any results or findings to share with your executive team, which means both your security team and security program are unlikely to receive the funding and executive support they require to succeed. The problem is that most companies are unwilling to invest money and resources into security - until a breach happens. This is because application security, without proper reporting and measurement, can seem intangible, and it can be difficult to measure the return on investment. Unfortunately, once a breach happens, remediation costs skyrocket, so it can cost your organisation a lot more in the long run.
2) You Invest Developer Time and Company Money in the Wrong Things
When you measure the efficacy of your application security program, you’re measuring three main things:
- Where are vulnerabilities being identified? It’s important to identify whether the majority of vulnerabilities are being found in the software you’re developing in-house, in third-party applications, or in open-source code. This will help you understand what part of your application network is most vulnerable to a breach.
- How and when are vulnerabilities being found? At what stage of the software development lifecycle, and with what tools? This can help you work out where your organisation is most effective at security testing, as well as gaps that could be filled with new tools, or developer training.
- What types of vulnerabilities are being found? This will help you identify trends in vulnerabilities, so you can understand where there are gaps in your development and security teams’ knowledge.
If you’re not measuring the performance of your application security program, you won’t know the answers to these questions. As such, your program will be based on guesswork and assumptions of where your development and security team’s time and effort should be spent.
3) You Suffer a Security Breach
If you’re not properly measuring the results of your application security program, you won’t have a clear understanding of where the majority of vulnerabilities are being discovered, and as such you won’t be able to remediate the most serious risks. If you’re using third-party applications that have poor security standards, you’re at risk of a security breach. Likewise, if you’re releasing applications which contain critical vulnerabilities because you’re unaware they exist, you’re at risk of a breach.
Measuring the results, findings and impact of your application security program is the only way you can improve your organisation’s application security, and over time, reduce the likelihood of a security breach.