|
While the awareness of the risk of insecure software has been rising for a considerable period of time, until recently many organizations have delayed the necessary transformation of the SDLC, attempting to reduce the risk with protective security solutions, such as firewalls and intrusion prevention. The main barrier to improving the SDLC is a fear that changing the people and processes within an organization is complex, and tailoring a per-project strategy represents a large organizational challenge. In other words, organizations often have adoption anxiety that is mainly rooted in concerns that such improvements would slow development time at an uncertain benefit. But with research from Gartner and Symantec showing that close to 90% of attacks are aimed at the application layer, the need for integrating security into the development lifecycle is becoming too pressing to postpone or ignore. The key drivers include:
1. High cost of remediation: identifying vulnerabilities after deployment results in significant costs to the development organization and the business at large. Conversely, significant savings can be realized by identifying and eliminating defects early in the lifecycle, or by not introducing them at all. Gartner estimates the cost of fixing a security vulnerability pre-deployment to be less than two percent of the cost of fixing the same vulnerability once the system has been deployed.
2. Consequences of a breach: the material impact to an organization in the event of a data breach can be significant. Beyond the intangibles of loss in customer trust, damage to reputation in the marketplace or world stage, and the distraction from positive business activity, there is the measurable cost in reparations, fines, and declining stock price. In one recent high-profile case involving the theft of at least 45.6 million credit card numbers, the retailer TJX as of May 2007 had taken an initial charge of $17 million from costs related to their massive security breach, with additional similar charges expect in the quarters to come. Additionally, a group of New England banks have sued the company for the cost of replacing debit cards whose accounts were compromised by the theft.4 The Federal Trade Commission is in the process of conducting a probe of the breach. Betting on a breach not occurring, or not taking reasonable and sufficient steps to ensure security of private data, can be a very risky strategy.
3. Increased outsourced development: Many organizations are entrusting the development of their key systems to third parties. These initiatives require increased diligence from program managers and auditors to ensure that security requirements are being met, and that industry-preferred controls are implemented. In many cases, detailed contractual terms related to security are being included in outsourced agreements to ensure third parties are held accountable for the security of the systems they deliver, with specific penalties included in the event of non-performance.
4. The disappearing perimeter: Just-in-time operations, mobile workers, and instant customer access require wider access to networks and data than ever before. The dissolution of the clear network boundaries has introduced a more intense threat to private data and secure operations. Attacks are now more targeted and ingenious, and use points of access not considered when many of the underlying systems were designed.
5. Regulatory compliance: all of the above factors have lead to increasing governmental and auditor scrutiny of any processes and technologies that impact the security of data and operations. Sarbanes, PCI, FISMA, NIST, SSE-CMMI: the alphabet soup of standards and regulations in regard to information security demand that organizations develop the process to prove that reasonable and necessary steps have been taken to sufficiently protect critical data from unauthorized access and compromise.
Taken together, these 5 drivers represent a compelling organizational need to methodically and measurably introduce security governance into the software development lifecycle, before any of the potential costs associated with the above become actual liabilities to the organization. Improving the process even marginally at each stage of the lifecycle will result in measurable reduction in risk after deployment.
|
