« Jeremiah Grossman's Application Security Conundrum | Main | Return of the Cocktail Napkin »

Comments

Taosecurity

Hi Gunnar,

What is your source for your statement that security dollars are "spent on infrastructure"? You imply too much is spent on infrastructure -- compared to what? When I look at the budget for my team (40 people), the vast majority is spent on salaries.

Gunnar

Hi Richard

I have done calcs a couple of times, here is one

http://1raindrop.typepad.com/1_raindrop/2008/11/the-economics-of-finding-and-fixing-vulnerabilities-in-distributed-systems-.html

I did not include salaries, I simply used the Public financial data, like Checkpoint is a $1b revenue company which all by itself dwarfed app sec. That by itself is quite silly, and then when you compare the assets that they are protecting it gets worse

Back of the cocktail napkin

NetSec
$1b Checkpoint to protect $40b Cisco per year

vs
AppSec
~$500M (Fortify, Ounce, SPI, ...) to protect $114b (SAP(18b), MSFT (65b), ORCL (31b)) per year

So the "business" is saying that apps are about 3-4x more valuable assets than the network, yet infosec spent 2x on network security vs appsec. Not only is there no alignment its polar opposite.

The comments to this entry are closed.