Share the Cost of Secure Application Development - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
DevOps
Commentary
11/22/2017
08:30 AM
Amit Ashbel, Cybersecurity evangelist, Checkmarx
Amit Ashbel, Cybersecurity evangelist, Checkmarx
Commentary
50%
50%

Share the Cost of Secure Application Development

The cost of protecting applications from cyberattacks is climbing fast. So, it's time for business units to help cover the pricetag.

The 2017 Ponemon Institute study reaffirms that while this year has seen more hacks and breaches than 2016, organizations are actually spending less money per breach. But the climbing security stocks in the wake of recent hacks seem to indicate that organizations and their CISOs are more than prepared to invest in increased security measures.

In fact, SANS Institute reported last year that despite IT budgets decreasing overall, on average, security budgets are increasing. Furthermore, 76% of SANS respondents said application security fell into their top spending category. 

When it comes to adopting and integrating security within business processes, many organizations still rely on their CISOs for budgetary allocations when it should be a shared responsibility between security and developers. In order to deliver on the promise of secure application development, developers and security teams need to manage security, together, from the onset. DevSecOps has become the perfect union of development and security to mitigate risk, but to accomplish this, development needs to invest in security.  

Check the price tag

The cost to build an application is dependent on the complexity of the application’s functionality which dictates the size of the team and the amount of production time it takes to build the application. The cost of application development can essentially be determined with the rough equation (features x time) x hourly rate = cost. Adding in other variables like third-party integrations can further complicate the development process and drive up the cost.

While application development does present a sizable cost to organizations, especially those creating SaaS products, in the event an application is hacked, security can accrue astronomical costs to the company. Because of the greater risk to the organization and their customers, security can be considered a higher priority budget item, which often means more money is also allocated to security. With cybercrime costs estimated to reach $19 trillion by 2019, it’s reasonable for businesses to assign a larger budget to security. However, transitioning part of the security budget to developers in order to practice secure development practices also could reduce the risk of cyber threats.

Disrupt the status quo

Typically, IT and security teams have operated in silos with little to no collaboration. However, the advent of DevOps has created a culture of transparency and information sharing between teams that has allowed the development and operations teams to more efficiently communicate – allowing everyone to be on the same page. Further, having transparency across the organization is crucial when speed and efficiency is of utmost importance determining the success that needs to be reported to stakeholders who control the budget. As DevOps allows security to be tightly embedded throughout the system’s development life cycle, transparency has quickly become an essential part of the DevSecOps world as well.

Developers still seem reluctant to take on the cost of incorporating security into their processes. Security has historically not been seen as a part of everyone’s responsibility in the DevOps team, which helps disperse the burden more evenly among developers, operations and security. For them, time is also money and the assumption has been that security slows down the development lifecycle. However, adding security measures to the development process is actually more cost effective as developers spend less time and effort in the long run. This shift in responsibility allows the security team to adopt a proactive versus reactive approach, helping improve security to better fit the DevOps process.

As security becomes an increased priority, organizations need to address both developers and security teams in unison. By investing in security and turning DevOps into DevSecOps, developers can receive near real-time feedback on their code which provides them the time, responsibility and support necessary to balance between stability and new features. If DevSecOps is truly about splitting development and security responsibilities 50-50, organizations practicing these processes should shift the budget so both development and security share the responsibility and reap the benefits of DevSecOps.

Amit Ashbel has been with the security community for over a decade and has taken on multiple tasks and responsibilities, including technical positions and senior product lead positions. Amit has experience with a wide range of security solutions, including network, endpoint, fraud detection, and application security. This, in addition to his familiarity with emerging threats, allows him to address multiple aspects of an organization's security portfolio while constantly studying how organizations can adapt to the ever-changing landscape. Amit speaks at high-profile events and conferences such as Black Hat, Defcon, and OWASP.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
News
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll