When you want to buy something that you can afford, what do you do? Well if you’re like most people you go to some financial institution and take out a loan in the amount of the item you wish to purchase then go and purchase the item and enjoy it. You then have two options you can respond by paying just the interest, or you can be proactive and pay the interest plus the principal. The concept holds true for security issues in application code.
Application Security Economics
Now banks aren’t in the process of just giving out money for the fun of it they eventually want you to pay that money back and usually with some degree of interest associated with the money. Now that you’ve incurred some form of debt if you keep responding to the debt by paying just the interest that principal amount of money that you’ve borrowed will forever be the same, so long as you pay exactly the interest and never borrow any more money. Life at this point is good and theoretically you could carry on forever like this but we all know that’s not really what happens.
Consider the below graph, at the beginning of October I take out a loan for some amount of money.
By the end of the month that I’ve incurred some interest hopefully I was smart and shopped around for the best interest rates and the interest rate is pretty low, none the less the total I now have to pay back is the Interest + principal I borrowed because lets face it we all want to make money.
Like a good debtor come November I’ve gotten my paycheck & know I have to pay some interest on the debt otherwise things go off the rails and my collectors come looking for me. I could pay off some of the principal as well but I’d much rather go drinking with my friends and spend time doing other things so I do pay the minimum I am required to.
As you can see I’ve responded to my debt, and I paid the required amount, and in November I owe exactly the principal I borrowed in October, at the end of November there will be some interest again.
December comes along and well it’s Christmas and I want to do somethings so I borrow a little more money
When I borrow more money, I obviously owe more interest but that’s okay I can still respond to it. Come January however the winter blues have me cold and frozen in Northern Canada so I decide to go on a vacation, however now I have a problem. More of my money is going to responding to the Interest I am accumulating on the principal and I can’t quite afford the trip with what is left over so what do I do? …. that’s right I borrow some more money.
I go on my trip have a blast, however come the end of the month I am shocked at the interest I’ve accumulated.
Now things are really starting to get interesting for me, I can’t quite afford to respond to all the new interest, in the allotted time. So what do I do, I respond to some of the interest and carry some of the interest forward. After all doing something is better then doing nothing correct?
However when I fail to completely respond to all the interest, what happens? It just gets added onto the total principal of the amount I owe and starts to accumulate it’s own interest, now my interest is earning interest. This is a great place to be if you’re the person lending the money bad place to be if you have to respond to it.
Now things are starting to really spiral out of control. They get even worse in March & April.
This could in and of itself be a lesson in why one shouldn’t live off of debt or use debt to extensively if at all possible. However the root of my problems isn’t that I’ve borrowed money, borrowing money can be a good thing, it allows me to do what I want to do to, it creates jobs & money for others. The problem is I’ve always been in a mode whereby I respond to the debt. I need to obviously respond to the debt. However the way that I chose to respond is what’s truly important if I only respond to the problem created by the principal “the interest” then I’ve failed to take a proactive approach. A response which takes a proactive approach means paying down the principal as well.
If you consider the below graph. If we swap money for code, it becomes obvious that code can be thought of as both a principal and an investment. Interest accumulated on that principal can be thought of as technical debt.
Security issues are a huge form of technical debt all true often in the software industry all too often in the software industry we get in the habit of being only responsive to the technical debt of the security issue and immediately fixing the problem. We do not or all to often fail to actually take a proactive approach and pay the principal, being only responsive to security issues is a flawed approach and it is wrong. There are many reasons why only a responsive approach is taken, however code continues to be written driving up your technical debt and security issues there within. If you’re organization is only responding to one of security issues and not considering security from the beginning you’re only responding to the interest and not addressing the root problem. If your organization isn’t writing any new software I say go ahead keep your current MO, of responding, but if you’re creating new software you need to think about investing in security differently otherwise it might not be 6 months it might be 6 years or 10 years but you will have a huge security issue, probably in 2 years. that will cost you orders of magnitude your investment in taking a proactive approach.
What To do?
The answer is really simple:
START INVESTING IN A SECURITY PROGRAM
There really is no excuse anymore, if you’re really not sure on where to start. Check out the blogs under the application security program, I’ve been laying the ground work building up to a program. I’ll be rolling out more entries shortly specifically on building a program as I am leading an initiative to go through that process right now. For now hopefully you understand application security economics 101 it’s really not that different then basic economics.
The post Application Security Economics appeared first on Security Synergy.
I am a Sr Engineer for a major security firm; I have been developing software professionally for 8 years now; I've worked for start ups, small companies, large companies, myself, education. Currently the company I work for has 7,000+ employees worldwide. I am responsible for our platform security, I write code, implement features, educate other engineers about security, I perform security reviews, threat modeling, continue to educate myself on the latest software. By night, I actively work to educate other developers about security and security issues. I also founded a local chapter of OWASP which I organize and run.
I cut my teeth developing in C++ and it's still where my heart is with development, lately I've been writing a lot of C# code & some java, but I do have a project or two coming out in C++ /DiectX 11 whenever I get the time.
When I am not developing code I am spending my time with my wife and daughter or I am lost deep in the woods some where on a camping trip with friends. If you can't find me with a GPS and a SPOT device then chances are I am on the Rugby pitch playing Rugby and having a great time doing so.
You can find more about me and My thoughts on security