Share the Cost of Secure Application Development

The 2017 Ponemon Institute study reaffirms that while this year has seen more hacks and breaches than 2016, organizations are actually spending less money per breach. But the climbing security stocks in the wake of recent hacks seem to indicate that organizations and their CISOs are more than prepared to invest in increased security measures.

In fact, SANS Institute reported last year that despite IT budgets decreasing overall, on average, security budgets are increasing. Furthermore, 76% of SANS respondents said application security fell into their top spending category. 

When it comes to adopting and integrating security within business processes, many organizations still rely on their CISOs for budgetary allocations when it should be a shared responsibility between security and developers. In order to deliver on the promise of secure application development, developers and security teams need to manage security, together, from the onset. DevSecOps has become the perfect union of development and security to mitigate risk, but to accomplish this, development needs to invest in security.  

Check the price tag

The cost to build an application is dependent on the complexity of the application’s functionality which dictates the size of the team and the amount of production time it takes to build the application. The cost of application development can essentially be determined with the rough equation (features x time) x hourly rate = cost. Adding in other variables like third-party integrations can further complicate the development process and drive up the cost.

While application development does present a sizable cost to organizations, especially those creating SaaS products, in the event an application is hacked, security can accrue astronomical costs to the company. Because of the greater risk to the organization and their customers, security can be considered a higher priority budget item, which often means more money is also allocated to security. With cybercrime costs estimated to reach $19 trillion by 2019, it’s reasonable for businesses to assign a larger budget to security. However, transitioning part of the security budget to developers in order to practice secure development practices also could reduce the risk of cyber threats.

Disrupt the status quo

Typically, IT and security teams have operated in silos with little to no collaboration. However, the advent of DevOps has created a culture of transparency and information sharing between teams that has allowed the development and operations teams to more efficiently communicate – allowing everyone to be on the same page. Further, having transparency across the organization is crucial when speed and efficiency is of utmost importance determining the success that needs to be reported to stakeholders who control the budget. As DevOps allows security to be tightly embedded throughout the system’s development life cycle, transparency has quickly become an essential part of the DevSecOps world as well.

Developers still seem reluctant to take on the cost of incorporating security into their processes. Security has historically not been seen as a part of everyone’s responsibility in the DevOps team, which helps disperse the burden more evenly among developers, operations and security. For them, time is also money and the assumption has been that security slows down the development lifecycle. However, adding security measures to the development process is actually more cost effective as developers spend less time and effort in the long run. This shift in responsibility allows the security team to adopt a proactive versus reactive approach, helping improve security to better fit the DevOps process.

As security becomes an increased priority, organizations need to address both developers and security teams in unison. By investing in security and turning DevOps into DevSecOps, developers can receive near real-time feedback on their code which provides them the time, responsibility and support necessary to balance between stability and new features. If DevSecOps is truly about splitting development and security responsibilities 50-50, organizations practicing these processes should shift the budget so both development and security share the responsibility and reap the benefits of DevSecOps.

Amit Ashbel has been with the security community for over a decade and has taken on multiple tasks and responsibilities, including technical positions and senior product lead positions. Amit has experience with a wide range of security solutions, including network, endpoint, fraud detection, and application security. This, in addition to his familiarity with emerging threats, allows him to address multiple aspects of an organization's security portfolio while constantly studying how organizations can adapt to the ever-changing landscape. Amit speaks at high-profile events and conferences such as Black Hat, Defcon, and OWASP.