You’ve heard the fable: Goldilocks goes for a walk in the woods and comes upon a house. In the house, she finds three bowls of porridge. The first is too hot, the second is too cold, but the third is just right.
Goldilocks is the master of figuring out “just right.” You need to be, too.
When it comes to application security, there is too much effort, too little effort, and then the sweet spot that is just right.
Balance effort and risk to guide your security investment.
The Goldilocks Principle
The Goldilocks principle is the idea that you can invest too much or too little in trying to find vulnerabilities, but what you need to do is find the best balance.
Too Much Effort
Is it possible to invest too much effort in your security?
Yup. At a certain point, you start to see diminishing returns: issues still appear but more rarely. Security is never really “done,” so it’s tricky knowing when to move on. There’s always more to do, more to find, more to fix. Knowing when to wrap up depends on your threat model, risk appetite, and your unique circumstances.
However, you probably aren’t in this category anyway. Almost nobody is. In all the years we’ve been doing this, and in all the years my friends have been doing this, I can count only one company whoever hit this inflection point all on their own. One!
But you certainly can get there. The takeaway is this: security is not an endless investment of resources. There is a point at which you can accept the remaining risk and move forward.
Too Little Effort
Almost everyone falls into this category.
Security is often viewed as a “tax” on the business. Companies want to minimize any kind of tax, and so they try to cut security costs. However, most people don’t realize that when you cut costs, what you actually cut is effort: how much time you invest, how manual it is, how much attack surface you cover, and how thoroughly you develop custom exploits. That’s a dangerous elixir because your attackers already invest more effort than you can. Cutting effort just cedes more advantage.
Price is an incredibly important factor in any decision. However, you shouldn’t lose focus on outcomes. Let’s imagine you need to get from New York to Los Angeles. The best way to get there is on a commercial airline. You’ll be there in a few hours for a few hundred dollars. There is a cheaper option, though: Rollerblades. Like a seat on a commercial flight, Rollerblades are indeed a mode of transportation. Better yet, they’re way less expensive, too.
But that’s stupid.
Although Rollerblades appear less expensive, they actually incur tremendous cost in other ways. Neither your body nor the Rollerblades are built for that kind of journey. It would take months instead of hours. The likelihood of reaching your destination is close to zero.
This absurdity is exactly what it’s like to underinvest in your security mission. You make it harder, take longer, and feel awful along the way. You torpedo your chances of success. Despite being an obviously bad approach, people pursue this line of thinking all the time.
If that sounds like you, I feel your pain. You’re under tremendous pressure to make the best use of the limited money and person-power you have, and those resources need to cover a wide range of priorities. It’s sometimes hard to justify the investment in security, and even when you can, you aren’t always sure where the best place to invest it might be. Others in the business sometimes don’t even understand security, so trying to get their approval is like shouting into the wind. As a result, decisions sometimes are made on price tag alone, without adequate consideration of the impact this has on your ability to succeed.
Here’s the harsh reality, though: the less you invest, the less it returns. When you cut costs too far, you prevent outcomes that help you get better. Achieving your security mission is going to cost you time, effort, and money. There is no way around that. When those investments get cut to the bone, what’s really reduced is your ability to succeed.
The Level of Effort That’s “Just Right”
The trick lies in finding your sweet spot, that magical balance where you uncover useful issues without investing too much or too little. There are many variables that influence this, including:
- The value of your assets
- The skills of your adversaries
- The scope of your attack surfaces
- The amount of risk you’re willing to accept
The reality: Application security testing is probably going to cost $30,000–$150,000+ per year, per application. Some cost far more than that.
That number may shock you. If you’re used to paying $25,000, $10,000, or even less than $5,000 per year for security testing, you’re probably doing vulnerability scanning alone. You’re pulling on Rollerblades to try to get across the country.
So why is a price tag like this even necessary? A few reasons:
- First, doing it right isn’t easy.
- Second, the incremental cost of doing security right is a tiny, microscopic spec compared to the gigantic cost of a security incident.
- Third, security is a competitive advantage.
Nevertheless, you may be wondering: how do you get the comprehensive assessment you need but for the cheap price you want?
Well, you can’t.
You can’t achieve security excellence by going cheap. You can’t find the unknowns for cheap. You can’t discover custom exploits for cheap. You get what you pay for, and there’s no way around that.
However, that’s not even the right question to be asking. Instead, ask this question: Do you need a comprehensive assessment—performed by an external expert—or is something less rigorous acceptable?
That, my friend, depends on your risk tolerance. Once you know how much risk you’re willing to accept, you can invest accordingly.
The cost is the cost; it’s the effort that is variable. And effort is based on risk.
Risk → Effort → Cost
When you invest only in cheap security approaches, you accept the risk of all of the vulnerabilities you leave undiscovered. Remember, your vulnerabilities exist. The question is simply whether you fix them or attackers exploit them.
Risk is a field unto itself. However, it’s worth a quick introduction to the concept.
Once you’ve computed these variables, you can quantify risk. Then you decide how much risk you’re willing to accept. Use that to decide how much to spend. Risk drives the amount of effort you should invest in finding and fixing vulnerabilities. The level of effort drives the cost of your security investment.
Risk drives effort. Effort drives cost.
Don’t do it the other way around.
Don’t let cost drive your risk decisions. When you start with cost and try to reduce it, you actually reduce effort. When you reduce effort, you increase the risk you accept.
There’s no way around that simple reality. When you lead with cost, you let the wrong factors drive your security mission. Instead, use the right factors to drive your security mission: what you want to protect, why, and from whom.
You Get What You Pay For
It’s harsh, but you know it’s true. You get what you pay for.
This is usually framed as a negative: buy something cheap, and it will fail. It’s like when you buy the cheap version of a power tool, which quickly breaks. Then you replace it with the more expensive version you should’ve bought in the first place.
However, there’s an equally positive frame as well: invest in the right thing, and you obtain the right outcome. Buy the right power tool the first time, and you get the project done right.
Either way, you get what you pay for.
Here are some powerful data points about effort, extracted from two years of our security assessments:
- Investing more than 200 hours in a security assessment results in high-, medium-, and low-severity issues almost 100 percent of the time. Critical vulnerabilities are discovered more than 80 percent of the time.
- Investing less than 100 hours in a security assessment drops those success metrics sharply. Critical vulnerabilities are discovered less than 25 percent of the time.
Here’s the point: effort drives outcomes.
The only difference between these two data points is the level of effort invested. The vulnerabilities exist either way. Given that you want to find your vulnerabilities so you can fix them, this data begs you to invest the amount of effort that actually drives that outcome.
To put these numbers in context, vulnerability scanning falls well under 100 hours of effort (many even under ten hours). By contrast, manual white-box vulnerability assessments quickly climb over 200 hours. If you truly want to find and fix your vulnerabilities, you need to put in the effort to find them. If you do, you will. If you don’t, you won’t.
There’s No “One Size Fits All” Budget
I advise a group of technology executives who often ask each other how much to spend on security. They usually suggest problematic answers to each other. For example, one CTO recommended a budget of $1,000/year. One thousand dollars! To defend against nation-states, organized crime, hacktivists, corporate espionage, casual hackers, accidental insiders, disgruntled insiders, opportunistic insiders, and malicious insiders. What are the chances he succeeds with that budget?
Zero.
By contrast, another CTO recommended a budget of over $1,000,000/year. Her chances are definitely better than if her budget was only $1,000/year. But is it appropriate for her peers? Is it even appropriate for her? I don’t know. The only way to answer that is: “it depends.” Conditions vary widely. There’s simply not a budget that works for everybody.
However, there are some universal truths:
- Not all applications are created equal.
- Not all applications share the same risk profile.
- Not all applications warrant the same level of effort or spending.
- There is a minimum effort you need to invest.
Some applications require heavy investment. Others are OK with less. Maybe your assets are of low value, and $30,000 for an assessment is fine. Or maybe your attack surface is vast, and $150,000 barely scratches the surface. Determining which group you fall into depends on how much risk you face, how much of it you want to reduce, and how much you’re willing to accept. You’ve got to find your own “just right.”
Your investment depends on a variety of factors, including:
- Size of your company, in-house security team, and software development project
- Value of your assets
- Amount of effort you’ve already invested in security, your tolerance for risk, your customer’s tolerance for risk, and the security sophistication in your industry
- Conditions, such as regulatory requirements that you must comply with, the capabilities of your in-house security team, the scope of your application’s attack surfaces, and the frequency at which you update your software
As I’ve explained earlier, you’re going to spend between $30,000 and $150,000+ on security testing, per application, per year. Almost everyone who achieves security excellence invests in this range. However, most companies invest far less than this.
Your budget goes beyond just testing, though. An effective security process also includes:
- Salary, benefits, and overhead associated with your in-house security personnel
- Salary, benefits, and overhead associated with your in-house nonsecurity personnel, prorated by the amount of time they spend on security
- Effort by your developers in dealing with remediations of security vulnerabilities
- Training, certifications, and other professional development for your security staff
- Overhead to manage the security process, both internally and externally
- Security software, products, and tool licenses
You can assume that security consulting and testing will consume anywhere from 20–50 percent of your overall security budget, with the above categories consuming the other 50–80 percent.
When Goldilocks tried that porridge, she found her “just right.” You can, too. Ignore the noise: you shouldn’t aim for “cheap,” nor should you spend endlessly. Both are nonsense. Instead, trust that there is a happy balance that sets you up for success on your security mission, while meeting the financial constraints that exist in every business. Go find that balance.
Learn more about adequate investing and budgeting for application security by reading my book, “Hackable: How to Do Application Security Right.”
Content adapted from:
