Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Application Security Debt & Application Interest Rates

Chris WysopalCTO & Co-counderVeracode

AppSecUSA

OWASP

My Background

Veracode’s CTO and Co-Founder

@stake, VP Research & Development

BBN, Sr. IT Security Analyst

L0pht Heavy Industries, L0phtCrack, Netcat for Windows

Lead author of “The Art of Software Security Testing” published by Addison- Wesley.

OWASP

Intro

This is a thought experiment to find new ways of thinking about the cost of application risk

We need much better data on breach cost and root causes

Developers and managers understand technical debt

OWASP

Technical Debt

“Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite. The danger occurs when the debt is not repaid. Every minute spent on not-quite-right code counts as interest on that debt.” -Ward Cunningham, the programmer who developed the first wiki program

OWASP

Technical debt sounds a lot like security weaknesses. Invisible from users but has negative value.

This diagram was part of a presentation on technical debt by Philippe Kruchten

OWASP

Application Security Debt

The latent vulnerabilities in a piece of software is the application security debt.

Security debt accumulates over time as more code is written without performing security processes during the development life cycle.

Design Phase A project takes on a lot of debt during the design phase if there is no

threat modeling or architecture risk analysis performed. This will translate into costly redesign work at a later date.

Coding Phase If code is written without using static analysis or following secure coding

guidelines then security bugs are going to get into the final application that will eventually need to be eliminated at a higher cost.

OWASP

Debt is Good!

There are obviously good business reasons for accumulating security debt because we see it everywhere in successful companies.

However, there is a point in the lifetime of a lot of software projects where the debt gets too high and needs to be paid off by redesigning and rewriting a lot of code.

If it isn’t paid off the security debt risks impacting the bottom line.

OWASP

Application Interest Rates

Application interest rates has breach cost and breach likelihood as factors.

These factors are out of your control just like an adjustable interest rate is on financial debt.

Breach cost can change over time due to changing compliance requirements and fines or increased brand damage.

Breach likelihood changes as the threat space changes. If cost and likelihood go up, your debt goes up.

OWASP

Likelihood

When your application was first written, your application’s adjustable interest rate, might be low Attackers just aren’t interested in your

applicationNo good tools to find vulnerabilities on the OS or

platform you developed on Can’t monetize attacks Your application may not be popularYour brand damage is low because you have no

users

OWASP

Example Dept Repayments

In January 2002, Bill Gates sent out the famous Trustworthy Computing memo.

Microsoft had accumulated too much security debt in all their products & their application interest rate was at an all time high.

How this debt was paid down differed by product.

IIS 6.0 was a complete rewrite (cost ??)  From 2000-2002, OSVDB recorded 85 vulnerabilities

in IIS alone  In 2003, IIS 6.0 was only impacted by one disclosed

vulnerability

OWASP

Successful Startup Scenario

Build cool new app as fast and cheap as possible and iterate, iterate, iterate.

Nothing done to make sure their application is secure and start building up security debt.

The company hits it big and starts attracting millions of users. A vulnerability is found. It hits the news. They fix it but then another is found. More press. Their interest rate keeps rising.

Decision is made to hire some application security people, add security processes, do some major security re-architecting and coding

Paying down the security debt now is more expensive than doing it securely the first time but security debt gave the company the flexibility to launch quicker and iterate faster.

OWASP

We can think of security debt as principle + interest

Principal is the cost to remediate. Interest is the variable cost out of your

control

OWASP

Denim Group Remediation Cost Data

Source: http://www.slideshare.net/denimgroup/real-cost-of-software-remediation

OWASPSource: http://www.slideshare.net/denimgroup/real-cost-of-software-remediation

OWASP

Calculate Remediation Cost

Remediation Cost = Overhead Cost + Sum per flaw category (Flaws * Remediation Time * Developer Cost)

OWASP

Interest rates are tricky

We will use example of a company writing their own custom app AND operating that app

They bear the breach burden of the code they write

Not sure what to do with vendors as they shift the burden of their debt principle to their customers.

OWASP

Monetary risk due to variable interest rate Question: What is the monetary risk from vulnerabilities in

your application portfolio? Useless Answer: Monetary risk is expected loss; average

breach cost multiplied by average probability of breach Useful Answer: Monetary risk is your expected loss;

derived from your vulnerabilities, your breach cost, threat space data

17

Your Vulnerabilities

Your BreachCost

Threat SpaceData

OWASP

Vulnerabilities in Your Application Portfolio

18

OWASP

Your Breach Cost

Use cost analysis from your earlier breaches

Use breach cost from public sourcesExample: April 2010 Ponemon Institute Report

19

(US Dollars) Detection & Escalation

Notification Ex-Post Response

Lost Business

Total

Average 264,208 500,321 1,514,819 4,472,030 6,751,451

Per-capita 8 15 46 135 204

Communication

Consumer

Education

Energy

Financial

Healthcare

Hotel & Leisure

Manufacturing

Media

Pharma

Research

Retail

Services

Technology

Transportation

209 159 203 237 248 294 153 136 149 310 266 133 256 192 121

Ponemon per-capita data by US industry sector (US Dollars)

Ponemon average and per-capita US breach cost (US Dollars)

OWASP

Threat Space Data

20

40% of data breaches are due to hackingSource: Verizon 2010 Data Breach Investigations Report

Top 7 application vulnerability categories

62% of organizations experienced breaches in critical applications in 12 month period

Source: Forrester 2009 Application Risk Management and Business Survey

OWASP

How to Derive Your Expected Loss

21

Baseline expected loss for your organization due to SQL Injection*

*If your SQL Injection prevalence is similar to average SQL Injection prevalence, assumes 100,000 records

expected lossvulnerability category

=

f (% of orgs breached X

breach cost Xbreach likelihood from vuln. category)

expected lossSql injection

=

f

62% X$248 X 100,000 X

25% )(

OWASP

Monetary Risk Derived From Relative Prevalence

Vulnerability Category

Breach Likelihood

Baseline Expected loss

Average % of Apps Affected1

Your % of Apps Affected2

Your Monetary Risk

Backdoor/Control Channel

29% $4,459,040 8% 15% higher

SQL Injections

25% 3,844,000 24% 10% lower

Command Injection

14% 2,152,640 7% 6% same

XSS 9% 1,383,840 34% 5% lower

Insufficient Authentication

7% 1,076,320 5% 2% lower

Insufficient Authorization

7% 1,076,320 7% 7% same

Remote File Inclusion

2% 307,520 <1% <1% same

22

Assume 100,000 customer records. For SQLi the expected loss is: 62% * $248 * 100,000 * 25% = $3,844,000

1. Veracode 2010 State of Software Security Report, Vol. 22. De-identified financial service company data from Veracode industry data

OWASP

Summary

With good breach cost & likelihood data we can calculate expected loss from latent vulnerabilities

We can calculate remediation cost

Can model when it makes sense to remediate

OWASP

Questions?Contact info:

cwysopal@veracode.comTwitter: @WeldPond