Now that you've decided (or battled) to set up an application security program you realize that it actually needs to get funded.  You must master the art of delicately drinking from the fire hydrant of line of business applications.

In my experience helping organizations set up their application security programs funding was perhaps the most critical factor determining the level of impact that the appsec program would have. Lets go through the various permutations and combinations of these models and what they buy you:

  1. Centrally funded cost center: This is the model most organizations follow where a bunch of centralized funds are used to hire some employees/vendors to come in and churn through the applications. This model does allow the organization to decide its overall spend on application security and set up dedicated resources for assessments. In some organizations this model has been successfully used to develop a centralized risk management system which can then be used to go after the most risky applications. In my experience the hidden problems in this model surface when an organization tends to use an immature risk assessment framework. Also, this model suffers when organizations do not take due care towards capacity planning and give way too many applications to a single analyst. This fractures their time and eventually nothing gets done
    So remember, use this model to manage your application security spending and use a common risk management framework. Beware of using a risk framework that does not correctly represent your organization risk profile or overwhelming your analysts.
  2. Decentralized project based model:This model is useful for organizations which have large decentralized business units where it is very difficult to get the different BUs agree to a contribute funding to centralized resources. In this model the application security team is reduced to a recommendation body only and dilutes its enforcement capabilities. In my experience, this program has been successful in two scenarios - both of them at completely different ends of the spectrum. The first, where political issues between different organizations are difficult to bridge and funding from commitments from these organizations are next to impossible. The second is organizations where their is a high level of consensus in spend and standard of security to be maintained. Needless to say the first type of organization is all too common and the second type is all too rare.
  3. Internal cross-charge consulting: This is an interesting model where the business units decide to uphold a common security standards and there is a general awareness of the need for application security. The application security program is set up as an internal consulting organization. This model is successful for large enterprise organizations that have several LOB applications in their portfolio and are fairly mature in their security processes. One of the biggest advantages of this model is that it can be scaled up and scaled down as needed. The organization does need to be vigilant and set up policies that will ensure that all projects budget for the security work.

There are several other hybrid models that organizations have explored including a combines network-application security team where people are cross trained in both discipline. You need to focus on the model that is best for your organization. The criteria to decide which model to chose should include:

  • Risk-management framework maturity
  • Investment that org in application security
  • Is application security centralized or decentralized?
  • What is the amount of enforcement capabilities the appsec org will have?
  • Do you build in-house or outsource?

A host of other issues including availability of employees with the right skills, vendors, off-shoring, size of application portfolio, regulatory needs etc. will influence the funding model as well. One thing is for sure, without adequate funding for governance and operations, the appsec program will not be successful. Hope this helped!!