The Best Way to Spend Your Security Budget

Everyone could use more security budget. There's always more to do. So you have to prioritize your spending. Where can you spend it most effectively? Should you be spending big money on mobile security? Probably not.

The only smart way to prioritize security spending is to do it where it will be the most effective. Mobile security threats are very real and present some really scary scenarios. No way should you blow it off. But the fact is that mobile threats, like Android malware and data exfiltration on BYOD devices, aren't what is causing the big problems and embarrassing headlines for companies.

What is causing those problems? You can find those causes here, in the OWASP Top 10 Project. OWASP is the Open Web Application Security Project, one of the most worthy organizations out there working genuinely to help IT and programmers to improve security. Its web site is a treasure trove of constructive advice for making your systems more secure.

The Top 10 list (the one linked to above is a release candidate for discussion, but it looks pretty much like its recent predecessors) contains "a broad consensus about what the most critical web application security flaws are." In other words, they are the important problems that are really being exploited out in the wild. These are programming terms, not the sort you usually hear of with respect to products being sold.

Number 1 on the list is Injection, which the organization defines this way: "Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data." The most famous and most consequential of injection flaws is SQL injection.

The really big damage to companies and their reputation happens when systems are compromised on the back end, where the big data is stored. SQL injection is the most popular way to do it.

The results of a mass SQL injection campaign in 2008. (source: F-Secure - click image for larger version)

The amazing thing about SQL injection is that not only is it the most damaging of vulnerabilities, but we know a way to end it: parameterized queries. Vulnerable SQL code usually gets that way because a program takes user input (First Name, Last Name, Address, etc.), uses that to construct a SQL statement dynamically and then executes it. When the user/attacker inputs characters that terminate the query and execute another, the dynamic SQL statement ends up executing the attacker's query.

If you're involved in this sort of programming I strongly recommend studying the OWASP SQL Injection Prevention Cheat Sheet. I won't go into detail here about how parameterized queries work, just to note that it's a programming technique in which user input is bound to program variables that are then used by server facilities to construct the query and execute it. Not only are these queries impervious to SQL injection, but they can easily execute faster, if heavily utilized.

Note that you won't find mobile threats, at least not explicitly, in the OWASP top 10. That's because, for all their potential to cause damage, it's still really just potential. Attackers would have to go to a lot of trouble to execute a mass attack on mobile devices, but one SQL injection attack can bring in big bucks. It's a no-brainer that you should make this problem top priority.