White Paper. Cutting the Cost of Application Security. An ROI White Paper

Transcription

1 Cutting the Cost of Application Security An ROI White Paper White Paper As new vulnerabilities are discovered, businesses are forced to implement emergency fixes in their Web applications, which impose significant operational costs. Even more significantly, these businesses must re-test the application to ensure these emergency fixes do not introduce new problems that could be potentially even worse. Because of the exorbitant cost and the disruption to application schedules, businesses are searching for a more cost effective approach to maintain the security of their Web applications. This paper describes how SecureSphere protects applications and reduces costs and organizational disruption by eliminating emergency fix and test cycles. This paper then evaluates the cost savings in financial terms, illustrating how SecureSphere provides immediate Return on Investment (ROI) and saves organizations 530% over five years compared to disruptive fix and test measures.

2 Web Applications Put Data at Risk Businesses in nearly every segment of the economy rely on Web applications to interface with customers and partners, and to manage financial, supply chain, CRM data. Online retail sales continue to escalate, reaching a projected $267.8 billion in Online banking, reservations, and bill pay expose banks, utilities, airlines, insurers, phone companies and many more organizations to inordinately expensive data breaches. By making data more accessible, Web applications have dramatically increased the business risks associated with that data. Applications are vulnerable to a complex mix of threats, including targeted Web-based hacking from individuals outside the organization, to advanced script and bot attacks, and zero-day Web worms. To illustrate these risks, a new sensitive data breach is disclosed every week. Over 245 million records containing sensitive information have been compromised between January 2005 and December 2008, and many of these data breaches are due to high-profile Web application attacks. Data compromises can be financially devastating because businesses must investigate the breach, notify victims, and even provide credit monitoring services to victims. In addition, many businesses spend millions of dollars on auditing services, legal defense, public relations, and inbound and outbound communications costs. When combining the costs of breach notification, legal expenses, lost business and customer churn, it is not surprising that the total expense of a single breach can range from millions to even billions of dollars. Fixing Vulnerabilities in Production is Costly Fixing a vulnerability in the early phases of the application development lifecycle is much less expensive than fixing it once the application is deployed into production. For this reason organizations try to catch vulnerabilities as early as possible. Unfortunately, even with good tools, a well trained development staff, and a strong desire to catch problems early, many vulnerabilities become apparent only after the software has been placed in production. One reason for this is that the production environment is extremely complex and few firms can afford to simulate its complexity in a test environment. A second reason is that new vulnerabilities are continually being discovered as creative and persistent attackers find unforeseen points of attack. A third reason is that many vulnerabilities are only discovered over time based on observing real users interacting with the actual production system. The facts demonstrate how difficult it is to catch vulnerabilities early in the application development lifecycle. According to Imperva s Application Defense Center research, 92% of all Web applications were found to have critical vulnerabilities when subjected to professional penetration tests. Moreover, even after a vulnerability was identified, corrected, and confirmed fixed, the same type of vulnerability reappeared at a later date in 60% of the applications 3. Emergency Test & Fix Costs Design Dev QC Production Cost vs. Product Stage w/o SecureSphere The High Cost of Emergency Fix and Test Cycles In order to protect a business s critical applications and data, a vulnerability must be dealt with as soon as it is discovered. Without a dedicated Web application security solution, this means that the application code or underlying software infrastructure must be fixed, and fixed immediately. Fixing the vulnerability can not wait until it is convenient because any delay in deploying the fix increases to the risk of being attacked. A business is therefore forced to implement an emergency fix and test cycle to correct all significant vulnerabilities. Currently 1 U.S. E-commerce Forecast: 2008 to 2012, Forrester, January, Privacy Rights Clearinghouse, A Chronology of Data Breaches, 3 For more information see the Imperva Application Defense Center whitepaper How Safe Is It Out There? located at < 2 >

3 businesses must do this even though they know that emergency fix and test cycles are very expensive. These hard costs can be quantified in terms of the hourly rate of contract or regular IT staff time to fix the problem, fully re-test the application, and deploy the new version into production. Unfortunately, shortcutting this process only adds to the business risk. If the emergency fix and test cycle is rushed to cut costs, it increases the likelihood of introducing new problems into the application. The Impact On Application Development and IT Operations The preceding sections described the quantifiable costs of emergency fix and test cycles. There are other significant costs that are more difficult to quantify, but are easily recognized and felt by everybody in the organization. These costs exist because the application development group becomes tightly coupled with the IT operations group every time addressing a vulnerability requires an emergency fix and test cycle. Both the application development group and IT operations group have a common goal of protecting a company s systems and data. However, they operate in two very different worlds. They each have their own language, measurements and approaches that are optimized to meet their differing goals. This works well until a security vulnerability is found in production. The standard way to address a vulnerability is for the application development group to execute an emergency fix and test cycle. When this happens, the careful project planning and resource allocation of the application development group becomes undone as they rush to respond to the emergency. For this reason the application development group and IT Operations may disagree over the need to implement an emergency fix and test cycle. There are many instances where these disagreements can not resolved at the operating level and involve the CIO to arbitrate between the heads of application development and IT operations. Because a dedicated Web application firewall provides immediate protection for vulnerabilities without any changes to the application, this tight coupling is eliminated and this eliminates the related departmental friction. By relying on a Web application firewall, the IT operations team has the means to keep applications safe from attack and the application development can maintain their finely tuned development schedules. The bottom line is that a dedicated Web application security solution enables the two groups to once again operate independently while increasing security and reducing operational costs. SecureSphere: Eliminating Emergency Fix and Test Cycles The SecureSphere Web Application Firewall enables companies to significantly reduce their current operational costs while simultaneously achieving even higher levels of security. With SecureSphere, companies can be assured that their applications are protected from both known and unknown attacks, including zero-day exploits, without having to make any changes to their applications or infrastructure. Unburdened from the need for emergency fix and test cycles, companies are free to implement fixes and patches on their schedule not hackers schedule. Businesses can simply treat any security fix as just another requirement to be included in the next scheduled release, saving significant time and money in the process. The time and cost to fix a vulnerability is effectively pushed back into the development phase of the application lifecycle where the costs are much lower. More importantly, the cost of re-testing the application after each individual emergency fix literally disappears altogether since this testing is already part of the standard test cycle of the next release. Additional cost savings include not having to deploy the emergency fix and not incurring the risk of rushing fixes into production in a crisis environment. Cost vs. Product Stage with SecureSphere All the benefits and cost reductions afforded by the SecureSphere Web Application Firewall can be achieved with minimal additional operational costs and no additional risk to the business. This is because SecureSphere requires no changes to Find in Production, Fix in Development Design Dev QC Production < 3 >

4 the existing applications or network. SecureSphere distinguishes itself from alternative Web application security solutions by offering the following features:» Accurate Protection Against Web Application Attacks The SecureSphere Web Application Firewall combines a dynamic white list policy model with up-to-date application signatures, session tracking and correlation rules for precise attack detection.» Automated, Intuitive Management Imperva s unique Dynamic Profiling technology automatically learns the structure, elements, and expected usage of protected applications. An easy-to-use Web management interface makes configuration effortless.» Transparent Deployment Multiple configuration options, including layer 2 bridge, proxy and non-inline monitor, enable drop-in deployment with no changes to existing applications or network.» Data Leak Prevention SecureSphere inspects outbound traffic to identify potential leaks of sensitive data such as cardholder data and social security numbers.» Ultra-high Performance and Low Latency Delivering multi-gigabit performance and sub-millisecond latency, SecureSphere can easily scale to meet the most demanding data center requirements.» Flexible High Availability Options A broad array of high availability options, including fail-open interfaces and the proprietary IMPVHA failover protocol, enable zero-risk deployment into any environment.» Enterprise-Grade Centralized Management Scaling to protect large, distributed data centers, the MX Management Server centralizes the configuration, monitoring and reporting of multiple appliances. With accurate security, automated management, flexible deployment options, and powerful centralized configuration and reporting, the market-leading SecureSphere Web Application Firewall has become the trusted choice for application security. Protection Around-The-Clock, Not Just After a Fix Cycle Many organizations build security measures into their Software Development Lifecycle (SLDC) to enhance their security posture and prevent vulnerabilities. The first step for implementing security into software development processes is to scan Web applications for vulnerabilities. Building this step into regular development schedules can drastically reduce mitigation costs compared to emergency fix and test cycles. However, fixing applications manually after an application scan can still take several weeks and delay other application development tasks. This is because software recoding processes typically entail the following steps: 1. Analyzing the code to determine the cause of the vulnerability. 2. Designing and recoding the application. 3. Testing the application to ensure the vulnerability has been ameliorated and verify that new vulnerabilities were not introduced. 4. For organizations with a change management process, documenting the fix and performing a risk assessment before applying the update. 5. Many organizations have a specific maintenance window for application changes. In certain cases, for critical vulnerabilities, an application may have to be brought down for a very brief period in order to apply the application changes. SecureSphere can be used in conjunction with third party application vulnerability scanners to instantly fix vulnerabilities, thereby avoiding time consuming and costly application update processes. Organizations that use vulnerability assessment tools from White Hat Security, HP, IBM, Cenzic, NT Objectives, or Qualys can scan their applications for vulnerabilities and then import the scan results into SecureSphere. Then, SecureSphere will identify attempts to exploit vulnerabilities that exist in the application. This integration provides greater visibility into security threats and enables organizations to fix application vulnerabilities on their own schedule. Unfortunately, many application development teams are only made aware of vulnerabilities immediately after a successful attack or application scan of a production web site. In addition, vulnerabilities may be introduced between application vulnerability scans, leaving Web applications exposed to attack for weeks or even months. < 4 >

5 As the following diagram illustrates, relying on application recoding alone can expose organizations to detrimental attacks during the vulnerability remediation process. Even when an application development team drops everything and devotes all of its engineering resources to fix a critical vulnerability, it can still take days or even weeks to apply a patch. Vulnerability Found Vulnerability Report Fix and Test Process Change Management Process Code Analysis Coding QA Plan Maintenance Window Fix Deployed Virtual Patch Fix Window of Exposure Secure Application Window of Protection Web Application Firewall In contrast to manually recoding applications, the SecureSphere Web Application Firewall provides continuous protection against application attacks. By detecting known exploits, HTTP protocol violations and attempts to tamper with the protected application, SecureSphere can accurately stop malicious behavior and prevent data breaches. Unlike network firewalls and intrusion prevention systems, the SecureSphere Web Application Firewall maintains application and session awareness, recognizing session hijacking, cookie poisoning and parameter tampering exploits. In addition, SecureSphere can inspect and protect SSL-encrypted data, and Web Services (XML) applications, ensuring that all Web application content is safe. Imperva Offers Stronger Security and Higher Return on Investment To illustrate how SecureSphere cuts operational costs, the following tables estimate the cost savings and ROI analysis for a medium size company with:» Four (4) online applications consisting of three (3) custom applications and one (1) packaged business application.» One (1) SecureSphere G4 Web Application Firewall with integrated management. Emergency Fix and Test Reduction As shown in the table below, the company estimated the number of times per year that they expected to implement fix and test cycles for both vulnerabilities found in each of the two custom applications and for the deployment of patches to the underlying infrastructure software on each of the two servers. Custom Application Without SecureSphere With SecureSphere 4 Emergency Fix and Test Cycles 6 0 Infrastructure Software Patch Deployments Operating System Patches 4 2 Web Server Patches 4 2 Packaged Enterprise Application Patches 2 1 Total With its automated protection against application attacks, SecureSphere eliminates emergency fix and test cycles. SecureSphere also offers virtual patching of operating system, web server and packaged application or application framework vulnerabilities. This virtual patching enables organizations to apply patches during their normal upgrade processes or to wait until new software versions are released, reducing the total number of patches that need to be applied. < 5 >

6 Other Financial Inputs The numbers from the table above were combined with other information from the company, such as fullyburdened employee costs for application developers and testers, as well as statistical information about the time required for emergency fix and test cycles. This information was then used as input to Imperva s ROI calculator. Financial Results Yearly Specifics and ROI The calculated savings are significant. They show that the investment in SecureSphere pays for itself in the first year and has a 5 year return on investment of 530%. SecureSphere vs. Emergency Fix and Test Costs Five Year Cost Pro Forma without SecureSphere Year 1 Year 2 Year 3 Year 4 Year 5 Total Emergency Fix & Test Costs $120,000 $120,000 $120,000 $120,000 $120,000 Total Commercial Software Update Costs $66,500 $66,500 $66,500 $66,500 $66,500 $186,500 $186,500 $186,500 $186,500 $186,500 Five Year Cost Pro Forma with SecureSphere 5 Year 1 Year 2 Year 3 Year 4 Year 5 SecureSphere Purchase $31,000 $0 $0 $0 $0 SecureSphere Software Main/Support $6,200 $6,200 $6,200 $6,200 $6,200 SecureSphere Administration Labor $7,100 $7,100 $7,100 $7,100 $7,100 Emergency Fix and Test Cost $0 $0 $0 $0 $0 Cost of Fix in Scheduled Release $19,200 $19,200 $19,200 $19,200 $19,200 Commercial Software Update Costs $33,250 $33,250 $33,250 $33,250 $33,250 $96,750 $65,750 $65,750 $65,750 $65,750 SecureSphere Savings and ROI Present Value of all Costs without SecureSphere $718,952 Present Value of all Costs with SecureSphere $282,903 Total Savings $436,049 Present Value of SecureSphere Costs (incl. Support & Admin) $82,271 SecureSphere ROI 530% Note: The return on investment is the total savings divided by the SecureSphere costs. 5 The year 1 investment for SecureSphere is based on a single SecureSphere appliance with an integrated management license, support, and administration labor. Subsequent years assume the cost of support and administration. Actual costs may differ based on specific environments and needs. < 6 >

7 Summary In conclusion, the SecureSphere Web Application Firewall not only secures critical applications and data, but it also significantly reduces the operational cost of maintaining a high degree of security. SecureSphere accomplishes this by eliminating the need for costly emergency fix and test cycles and by eliminating the tight coupling of application development and IT operations. Besides reducing the cost of application security, SecureSphere bolsters Web site defenses by protecting applications continuously, not just after an application fix and test cycle. SecureSphere identifies application tampering techniques that cannot be detected by a generic scanner and it provides a rich set of monitoring and reporting tools, enabling the application development and IT operations team to investigate security concerns. As the Return on Investment (ROI) calculation demonstrates, Imperva SecureSphere is the clear choice to protect business critical Web applications. If you would like to apply this return on investment (ROI) analysis to your own organization, please contact Imperva by phone at +1 (866) or sales@imperva.com. < 7 >

8 Imperva Americas Headquarters International Headquarters 3400 Bridge Parkway 125 Menachem Begin Street Suite 101 Tel-Aviv Redwood Shores, CA Israel Tel: Tel: Fax: Fax: Toll Free (U.S. only): Copyright 2009, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #WP-CUTTINGCOST_APPSECURITY_ROI-0509rev1