Akshay on the business of security : Application Security Development Lifecycle 3: Funding Models

Thursday, May 08, 2008 11:48 AM Akshay Aggarwal

Application Security Development Lifecycle 3: Funding Models

Now that you've decided (or battled) to set up an application security program you realize that it actually needs to get funded. You must master the art of delicately drinking from the fire hydrant of line of business applications.

In my experience helping organizations set up their application security programs funding was perhaps the most critical factor determining the level of impact that the appsec program would have. Lets go through the various permutations and combinations of these models and what they buy you:

Centrally funded cost center: This is the model most organizations follow where a bunch of centralized funds are used to hire some employees/vendors to come in and churn through the applications. This model does allow the organization to decide its overall spend on application security and set up dedicated resources for assessments. In some organizations this model has been successfully used to develop a centralized risk management system which can then be used to go after the most risky applications. In my experience the hidden problems in this model surface when an organization tends to use an immature risk assessment framework. Also, this model suffers when organizations do not take due care towards capacity planning and give way too many applications to a single analyst. This fractures their time and eventually nothing gets done
So remember, use this model to manage your application security spending and use a common risk management framework. Beware of using a risk framework that does not correctly represent your organization risk profile or overwhelming your analysts.
Decentralized project based model:This model is useful for organizations which have large decentralized business units where it is very difficult to get the different BUs agree to a contribute funding to centralized resources. In this model the application security team is reduced to a recommendation body only and dilutes its enforcement capabilities. In my experience, this program has been successful in two scenarios - both of them at completely different ends of the spectrum. The first, where political issues between different organizations are difficult to bridge and funding from commitments from these organizations are next to impossible. The second is organizations where their is a high level of consensus in spend and standard of security to be maintained. Needless to say the first type of organization is all too common and the second type is all too rare.
Internal cross-charge consulting: This is an interesting model where the business units decide to uphold a common security standards and there is a general awareness of the need for application security. The application security program is set up as an internal consulting organization. This model is successful for large enterprise organizations that have several LOB applications in their portfolio and are fairly mature in their security processes. One of the biggest advantages of this model is that it can be scaled up and scaled down as needed. The organization does need to be vigilant and set up policies that will ensure that all projects budget for the security work.

There are several other hybrid models that organizations have explored including a combines network-application security team where people are cross trained in both discipline. You need to focus on the model that is best for your organization. The criteria to decide which model to chose should include:

Risk-management framework maturity
Investment that org in application security
Is application security centralized or decentralized?
What is the amount of enforcement capabilities the appsec org will have?
Do you build in-house or outsource?

A host of other issues including availability of employees with the right skills, vendors, off-shoring, size of application portfolio, regulatory needs etc. will influence the funding model as well. One thing is for sure, without adequate funding for governance and operations, the appsec program will not be successful. Hope this helped!!

Filed under: Application Security, Process, Strategy, Security, SDLC, SDL

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# Application Security Governance Series

Monday, May 12, 2008 1:48 PM by Akshay on the business of security

After several requests from customers about information on how enterprise class application security

# http://email.tailorednews.com/tmsubscribe/current.asp?n=644&pid=4395

Thursday, May 15, 2008 2:48 AM by TrackBack

Name (required)
Your URL (optional)
Comments (required)

Enter Code Here: Required
Remember Me?

About Akshay Aggarwal

Akshay Aggarwal is a security strategist and researcher. He is currently a Practice Manager for Microsoft Information Security’s ACE Team where he leads the information security consulting practice for North America. He is responsible for securing Microsoft’s ecosystem by developing a robust security practice, incubating new service lines & helping enterprise customers develop world-class IT security strategies. Previously as a Senior Security Technologist, Akshay was responsible for conducting architecture design, threat modeling, application security assessments and vulnerability research. He helped Fortune 100 clients evaluate the security of their software products and applications. He has authored several security research papers and been invited to speak at many forums like the RSA Security Conference and Black Hat briefings at Las Vegas. Akshay holds a MS in Computer Science from the University of California at Davis. There, at the renowned Computer Security Lab, he conducted research on Internet worms and intrusion detection systems.

Akshay on the business of security

Search

Tags

Archives

My personal blog

My team blogs

Other blogs