Daily Archives: August 15, 2019

Key Ways to Make the Case for AppSec Budget

Security departments are juggling a multitude of security initiatives, and each is competing for a slice of one budget. How do you make the case that AppSec deserves a slice of that budget pie, or a bigger slice, or even to make the pie bigger? Here are a few key ways:

Find a compelling event

The most obvious compelling event, of course, is a breach, but there are other events that will compel executives to budget for application security. For instance, regulations could be a compelling event – if you have to comply with a security regulation (PCI, NY DFS cybersecurity regulations, etc.) or pay a fine, that’s an easy budget win. In addition, customers asking about the security of software could be a compelling event. IT buyers are increasingly asking about the security of software before purchasing. We recently conducted a survey of IT buyers with IDG, and 96 percent of respondents reported that they are more likely to consider doing business with a vendor or partner whose software has been independently verified as “secure.” Sales losing a deal because they couldn’t respond to a security audit would certainly be considered a compelling event.

Look to the future

A clear road map and plan for your AppSec program not only gives you more credibility, but also helps to “warm up” your investors to what you’re planning on doing in future years. Show the efficiencies and risk reduction your program will make in the future to highlight how upfront investment will lead to future results. For instance, an investment in developer training will make developers more self-sufficient and lessen the burden on security teams.

Benchmark

It can be powerful to illustrate where your organization’s security program sits relative to other organizations and your peers. If you're lagging, it’s a clear indication that further investment is needed. If you're leading, you can use that fact to prove your progress and make the case for more ambitious projects.

Veracode’s State of Software Security is a good benchmarking resource, as is the OpenSAMM framework. The State of Software Security report includes comparisons by industry, so you can point to the application security progress made by others within your own industry. In addition, OWASP’s Application Security Verification Standard (ASVS) can help organizations to classify applications into three different levels from low to high assurance. This helps firms to allocate security resources based on the software’s business importance or risk breach.

Know your audience

Speak the language of executives when making the case for more budget. For instance, telling the CFO, “we've reduced the number of SQL injections” won’t resonate. Rather than the number of SQL injections, talk about how the program will reduce the number of breaches by X percent, or how it will reduce the cost to fix vulnerabilities by X percent. Be mindful of your audience and frame your budgeting conversation accordingly.

Be visible and credible

The more credible you are, the better your chances of getting the budget you’re asking for. Clearly understand what you're going to do with the money, and how you're going to justify that spend. Prove that you understand how your organization works and that you will use the money effectively. Finally, tie application security to business priorities and initiatives, and be able to show a clear roadmap for your program.

In addition, be visible. It's important to promote success of your program. Present on the progress you’re making, run awareness sessions, or have visible dashboards.

Break down your budget (must, should, could)

You’ll have a range of priorities and things that you could be spending money on in your AppSec program. Give your budget stakeholder options. Start with what you must do – for instance, what you need to achieve for regulatory compliance. And then give them some wiggle room in the middle on projects that they should or could do. If you go in with a number in mind and don't get it, be ready to slice and dice your budget request.

Learn more

Get more details on these strategies and additional tips and advice on making the case for AppSec budget in our new guide, Building a Business Case for Expanding Your AppSec Program.

New Research: Lessons from Password Checkup in action



Back in February, we announced the Password Checkup extension for Chrome to help keep all your online accounts safe from hijacking. The extension displays a warning whenever you sign in to a site using one of over 4 billion usernames and passwords that Google knows to be unsafe due to a third-party data breach. Since our launch, over 650,000 people have participated in our early experiment. In the first month alone, we scanned 21 million usernames and passwords and flagged over 316,000 as unsafe---1.5% of sign-ins scanned by the extension.
Today, we are sharing our most recent lessons from the launch and announcing an updated set of features for the Password Checkup extension. Our full research study, available here, will be presented this week as part of the USENIX Security Symposium.

Which accounts are most at risk?

Hijackers routinely attempt to sign in to sites across the web with every credential exposed by a third-party breach. If you use strong, unique passwords for all your accounts, this risk disappears. Based on anonymous telemetry reported by the Password Checkup extension, we found that users reused breached, unsafe credentials for some of their most sensitive financial, government, and email accounts. This risk was even more prevalent on shopping sites (where users may save credit card details), news, and entertainment sites.

In fact, outside the most popular web sites, users are 2.5X more likely to reuse vulnerable passwords, putting their account at risk of hijacking.
Anonymous telemetry reported by Password Checkup extension shows that users most often reuse vulnerable passwords on shopping, news, and entertainment sites.


Helping users re-secure their unsafe passwords

Our research shows that users opt to reset 26% of the unsafe passwords flagged by the Password Checkup extension. Even better, 60% of new passwords are secure against guessing attacks—meaning it would take an attacker over a hundred million guesses before identifying the new password.
Improving the Password Checkup extension

Today, we are also releasing two new features for the Password Checkup extension. The first is a direct feedback mechanism where users can inform us about any issues that they are facing via a quick comment box. The second gives users even more control over their data. It allows users to opt-out of the anonymous telemetry that the extension reports, including the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage. By design, the Password Checkup extension ensures that Google never learns your username or password, regardless of whether you enable telemetry, but we still want to provide this option if users would prefer not to share this information.


We're continuing to improve the Password Checkup extension and exploring ways to implement its technology into Google products. For help keeping all your online accounts safe from hijacking, you can install the Password Checkup extension here today.