What's the Worst That Can Happen? The Cost of a 'Do Nothing' AppSec Plan

Do you think you don’t need application security? Maybe you think application security is too complex, or too expensive. Maybe you think, we haven’t been breached yet, what are the chances? And even if someone tries, we have a WAF.

It might seem more cost-effective to simply “do nothing” rather than invest in application security. But you should be aware that there is indeed a cost associated with “doing nothing” when it comes to application security.

Chance of a Breach Is High

You do have a good chance of suffering a breach through the app layer – no matter your size or industry.

Verizon recently studied 2,260 confirmed data breaches across 82 countries and found that 40 percent resulted directly from web app attacks, by far the largest category. In addition, according to Akamai’s Q3 2015 State of the Internet Security Report, attacks at the application layer are growing by more than 25 percent annually.

So Is the Cost

A blog post on pcicomplianceguide.org observed that “the average consolidated total cost of a data breach is $3.8 million. With each lost or stolen record costing an average of $174, even 500 compromised payment records can exceed $75,000 in liability for a breached merchant.”

And that’s a conservative number considering that breach-related costs include:

• Lost revenue: This might result from stolen corporate data, lowered sales volumes (if consumers get scared) or falling stock prices.
• Money spent on investigation and cleanup.
• The cost of downtime: an Information Age article estimated that every hour of downtime costs businesses $100,000. In addition, time spent fixing a breach means time diverted away from development and innovation.
• Brand damage: a Deloitte study found that security is the second leading risk to a company's brand, behind ethical issues and ahead of risks related to safety, health, and the environment.

A Breach Is Not the Only Cost

Many regulators, in many different industries, now require some application security controls be put into place. And with the increase in breaches through the app layer, they’re paying closer attention to application security controls.

Regulations that now require application security controls include:

• PCI-DSS
• NIST
• MAS
• HIPAA

What’s the cost of failing to comply? Here are two examples:

• HIPAA: Noncompliance fees are up to $50,000 per violation. In addition, attorney generals can also issue HIPAA fines, and criminal penalties could even result from HIPAA violations.
• PCI: Fines for noncompliance vary on the discretion of the card brands and acquiring banks, and can range from $5,000 to $100,000 per month for the merchant.

Network Security Not Protecting Your App Layer

You might think you are “doing something” to protect your app layer if you’re relying on network security solutions, but, in fact, you are “doing nothing.” Protecting the network layer is not the same as protecting the application layer, and network solutions do not protect your organization against application-layer attacks.

But most organizations continue to focus their budgets on blocking attacks at the network/infrastructure layer while neglecting today’s real threats. Cyberattackers know this and are taking advantage of the insecure app layer.

A web application firewall is not an adequate application security solution either. Firewalls were designed to handle network events, such as finding and blocking botnets and remote access exploits. Some can address application-level events — but not as well as application-layer solutions, and only with significant effort to configure and monitor them. Ultimately, they don’t fix application-layer vulnerabilities, but rather, simply mitigate them.

Effective application security requires an application security program that involves multiple technologies designed specifically to assess the security of the application layer and addresses the security of applications from development through to production.

“Doing Nothing” Is Not a Cost Saver

Neglecting to address application security will not save you money. In fact, it will cost you, most likely a significant amount, in the future. Applications play a pivotal role in today’s digital world and need a correspondingly pivotal place in your security plan.

To find out more about how digital business is changing the security landscape and how your security initiatives need to pivot accordingly, check out Gartner’s report, Managing Risk and Security at the Speed of Digital Business.