A significant portion of my travel schedule is dedicated to meeting with InfoSec teams at organizations large and small, mostly asking questions about the current status of their application security programs. From the interaction I learn A LOT about today’s most pressing challenges. Such as what strategies [really] work, which [really] don’t, and what direction things are heading. Budgetary resources, or the lack thereof, is easily the most commonly cited obstacle to progress, second only maybe to management & developer awareness, which is probably the root cause.
During the same discussions I’m often asked by prospective customers, industry analysts, and the media too, “Who does WhiteHat Security compete with?” Sometimes the question is asked to better understand how we’re different or what problems we help solve. Other times the question is about getting a clearer picture of where WhiteHat Security fits in the market. I typically answer with the names of the usual suspects, how they are either a desktop scanner or a billable hour consulting shop, while we’re a better, more efficient, scalable option as an on-demand subscription service. The more I repeat this, though, and the more of the aforementioned discussions I participate in, the more I find this answer wholly superficial and inadequate.
Here’s the thing. By the time serious application security planning takes place, when it comes time for organizations to invest real $ in executing a strategy, 90% or more of the InfoSec budget has normally already been spent or spoken for — spent protecting the network and hosts. Important layers such, but it also leaves just a tiny fraction of the pie available to address the biggest and most important problem the entire security industry is facing. Crumbs to protect the area of IT where the business invests the most money creating — software. Let me put this another way. Every firm, every person in the application security field, more directly competes with firewalls and anti-virus products.
The big security companies out there, the guys who peddle these products to those who purchase them out of habit or compliance mandate, also simply don’t “get” application security, nor do they care to. This is understandable since the overall application market is still too small for the mega-corps to care about. That’s just basic business economics. If one of their customers wants to invest in application security, to them that probably just means swapping dollars away from their firewall & AV cash cow, and zero net new revenue to them. Yet they’ll be happy to sell you an cheap widget, that is “better than nothing,” and/or toss it in as part of larger “enterprise” sale.
Organizations are starting to figure this game out though. They are asking why their firewall, anti-virus, and intrusion detection systesm didn’t protect their multi-million, multi-billion dollar Web-based business from getting hacked — for the the money or the lulz. With every breach headline, more are more are to realizing how little of what they spent 90% of the budget on is designed to do anything of the kind. This is precisely why I’m optimistic about change. 2012 is going to be an important year, a year where application security became too painful to ignore.