Back to newsletter
Which security program on a tight budget?
I need to put a security program in place that will have the most impact on a tight budget. Is it more effective to go back and remove the vulnerabilities from existing software, or to focus on improving the process to prevent new vulnerabilities? Which do you recommend?
-- Jeff, Product Manager
How to get there from here
In response to Jeff's question about which security program to implement on a tight budget, readers were most helpful in laying out the steps to take, as well as the support needed to put a risk management program in place. Their suggestions are as follows:
- Prioritize vulnerabilities and assess probability and impact.
- Determine budget and split between assessment and improvement.
- Establish a vulnerability management program.
- Develop training programs and find the right tools.
Prioritize vulnerabilities and assess probability and impact
Gomathy Subramanian of HCL America, Inc. says that you must first "determine the list of risks and assess your software for probability and impact. Choose high-probability, high-impact risks and remediate first. Even if you set standards for the future, if the existing foundation has holes, protection of new software will not help."
Another reader offers this brief plan of action as a way to maximize your efforts on a tight budget:
- "Conducting a quick check on the existing software will help in identifying the current state of the software and identifying the processes for improvement.
- Based on findings, target mission-critical/high-risk applications for removal of issues and create a next-step list of the improvement of processes."
Drexx, a Common Criteria consultant, believes that your choices don't have to be either/or; you can have both. He continues, "Start by listing all known software vulnerabilities and sort them by severity or impact. By severity or impact, I mean the extent of ‘damage' or ‘disabled software features' that each one may cause. In that list, give each vulnerability a little note that says how easy or hard it is to fix (given your team's skills and other resources).
"Now you can divide that list of vulnerabilities into four parts:
- Immediate and important,
- Immediate but not important,
- Important but not immediate,
- Not important and not immediate.
"Finally, you can get a better grip as to which process(es) in your software development cycle you must fix. Since this is more of a management issue, put it in your new 'Important but Not Immediate' list of things to do."
Determine budget and divide between assessment and improvement
Capturing the New Frontier: How Software Security Unlocks the Power of Cloud Computing
Realizing the benefits of cloud computing is greatly determined by the trustworthiness of the cloud infrastructure -- in particular the software applications that control private data and automate critical processes. Assuring the inherent security of software is a key factor to unlock the power of cloud computing and realize its ultimate benefits. This paper describes these concepts and what they mean to organizations interested in moving to the cloud and to the providers of cloud services.
Click here to read more
Doron Becker, lead principal of INFOSEC Engineering Company, also believes that this is not an either/or situation. He says, "Take half your budget and prioritize your existing vulnerabilities so that you have adequate budget to attack the most critical ones. Then take the rest of your budget and begin process improvement activities to prevent new vulnerabilities. You may have to adjust percentages depending on how critical your current vulnerabilities are, but, in any event, both activities should be done in parallel, insofar as possible."
Establish a vulnerability management program
Jarrett Parent of C3SA looks at the larger picture. He says, "Bring senior management into the picture and correct the vulnerabilities that are the most severe. That is to say, focus on the ones that are at greatest exposure to threats in your IT environment and that will have the greatest impact on your assets, tangible and intangible. Then focus on developing and establishing a vulnerability management program. As a rationale, if you ignore critical vulnerabilities and don't manage to create a sense of urgency and awareness amongst your peers, it is unlikely that anyone will want or see the need to buy into your vulnerability management program."
Develop training programs and find the right tools
Enrico Viglino, software quality engineer at the Apollo Group, says, "Bring the development and quality teams on board so that you get the fundamentals correct. This has to be done from the grassroots, in my opinion; otherwise, it's liken trying to put out fires at an arsonists' convention."
Jim Bird, chief technology officer at BIDS Trading Technologies Ltd., sees education and training as part of a larger process. He writes a list of important points:
- "Invest in improving your software security capability; this will pay dividends now and in the future.
- Get secure software development training for your team.
- Start threat modeling/risk assessment in design, and add security checks to your code reviews.
- If you aren't using static analysis tools, find a good one and add it to your build. Then the team can decide what to address first on a risk/return basis, and they will know how to deal with it."
Finally, Arian Evans, director of operations at WhiteHat Security, wraps it up succinctly. "Before you ask the questions you asked, however, you need to ask where your real risk is and what your goals are. Dealing with the future is cool, but your risk is probably right here and now. Solutions that provide rapid measurability of production software vulnerabilities and actionability, allowing you to immediately do something to mitigate or remediate those vulnerabilities, will likely give you your best bang for the buck. This will also help tell you what parts of the security development lifecycle you need to put the most focus into going forward."