Budget is a concern at every company. You have to be able to justify every dollar spent. When advocating for an application security budget, the first question is always “how much will it cost?” What we really need to be thinking about is “how much would it cost to not have application security budget?”
The hard truth is that all companies will eventually have a security incident, so you need to calculate its impact. Things to consider include:
- Recovery cost (All expenses, time, and resources used to recover service)
- Downtime costs
- Time spent notifying the affected persons (victims)
- Cost of lost customers/business
- Cost of negative impact on reputation
- Time spent remediating vulnerabilities
- Cost of a forensic analysis
- Statutory or compliance fines
- Contractual liability costs
- Legal costs
- Identity protection for the victims
- The probability of making poor decisions based on urgency
Once you have that number, you can decide if and how much investing in prevention makes sense. It is worth taking into consideration that 43 percent of cyberattacks target small businesses and 60 percent of small business victims of a data breach shut their doors after six months1. It’s, unfortunately, no better for medium or large organizations. In the words of Benjamin Franklin, “An ounce of prevention is worth a pound of cure.” In general, prevention tends to be significantly less expensive than coping with a security breach. According to OWASP, some studies suggest that the optimal investment is approximately 37 percent of estimated losses3.
There are various security approaches and solutions that can help mitigate security risks such as static analysis, dynamic analysis, and software composition analysis. Each one is focused on a different aspect of the assurance process and contributes to increasing security. There is no one AppSec testing type that covers everything, so the security of your applications increases with the combination of analysis.
Some characteristics and costs that should be considered in a preventive security solution are:
- The operating cost of the solution
- The cost of remediating a vulnerability
- The cost of managing vulnerabilities
- Adequate balance between true positives, false positives, and resources used
- Scan times
- Human resources
- Decision making costs due to visibility
The challenge is to make the most effective use of the available resources, prioritizing what is important to the business while balancing costs against potential impacts. Human intervention in security processes is very relevant and it is proven in reports that effectiveness is increased not only with the use of software solutions but also with the participation of application security experts2. People should be the judges of the entire process.
Checkmarx One™ offers multiple different AppSec testing types on a single, cloud-based platform, enabling AppSec teams to run scans from the first code commit to production. Being able to run multiple AppSec scans simultaneously and receiving accurate and correlated scan results speeds time to remediation. This enables organizations to reduce their remediation costs, optimize their vulnerability management and classification, and minimize operational overhead. Additionally, the integrated reporting and dashboards provide AppSec and development teams with a complete view of the security posture of their applications, enabling them to focus on the highest risks first.
Checkmarx One reduces overall AppSec program operating costs by providing an easy-to-use solution that can trigger multiple scans with a single click, or even automatically through Source Code Management Integration such as GitHub.
Whether or not a discovered vulnerability causes an incident, there will be an associated engineering cost to resolve it. It is significantly cheaper to remediate vulnerabilities and flaws early in the software development lifecycle (SDLC). According to NIST, the remediation time during the coding stage is 2.4 hours compared to 13.1 hours in the post-deployment stage4. By scanning code at the source, Checkmarx One enables a true “shift-left” approach, allowing organizations to identify and remediate vulnerabilities sooner in the SDLC. And because Checkmarx One has visibility into the source code, we can provide both AppSec and development teams with an intuitive data flow graph along with a suggested Best Fix Location (BFL), so developers can target the source of the vulnerability faster.
In addition to identifying the Best Fix Location through static code analysis, Checkmarx One also provides integrated contextual gamified learning for developers, without the need to navigate to a different platform or to study in a lengthy training session.
And let’s not forget about CISOs. Checkmarx One helps CISOs make decisions based on multiple sources of information aggregated in one dashboard with multiple views. Seeing the aggregated results on one dashboard enables CISOs to identify whether Key Performance Indicators (KPIs) were met and helps show the return on investment. Can your organization afford not to invest in Checkmarx One?
Request a Demo
If you’re ready to learn more about Checkmarx One, we would love to help. Sign up to request a demo.
- Antunes, N., & Vieira, M. (2009, November 18). Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services. Http://IEEE.Org. https://ieeexplore.ieee.org/document/5369093
- OWASP (2013). Application Security. Guide For CISOs https://owasp.org/www-pdf-archive/Owasp-ciso-guide.pdf
- The Economic Impacts of Inadequate Infrastructure for Software Testing. (2002). National Institute of Standards & Technology. https://www.nist.gov/document/report02-3pdf