We may be in the midst of an economic downfall, but that hasn't slowed the efforts of cyber criminals. In this week's column, Bryan Sullivan reviews the importance of making sure that your software and organization remains secure. He also offers advice on how to keep security in the forefront of your development process without straining your project's budget.
Regardless of the industry you're in, whether it’s healthcare, energy, telecommunications, finance, or anything else, if you're reading this article, you've been affected by the current economic downturn. Thousands of information technology professionals have been laid off from their jobs in the past year. Even Microsoft announced that they will be cutting up to 5,000 jobs over the next eighteen months. Those fortunate enough to keep their jobs will be struggling with reduced budgets across the board and will have more work to do and less money with which to do it than you've ever had before. In trying times like these, it may be tempting to cut corners by reducing or eliminating your application security budget. Like skipping visits to the dentist, though, the dollar you save today may cost you ten tomorrow, or worse.
First, consider that in hard economic times, the ranks of criminals don't decrease; in fact, it's likely that as more people lose their jobs and benefits, some will become desperate and turn to crime. There have been widely reported stories of recently laid-off workers burgling homes and robbing banks. Admittedly, we're not going to stop these types of violent crimes with increased software-security spending. However, several organizations are seeing a similar increase in the rate of white-collar cybercrime. In October, the FTC issued a warning stating that "online scammers are taking advantage of tough economic times" by sending phishing emails tied to bank mergers. Special agent Darren Mott of the FBI Cyber Division stated that the FBI has seen increased attacks on specific, high-profile targets like CEOs and CFOs, noting that "cybercrime is recession-proof."
Given that it's likely that attacks against your applications will increase and also unlikely that your security budget will see a corresponding increase, how can you continue to improve application security? The answer is simple: you can save money and be more secure by adding security earlier in the development lifecycle. Far too often, organizations think of security like