« Jeremiah Grossman's Application Security Conundrum | Main | Return of the Cocktail Napkin »



Hi Gunnar,

What is your source for your statement that security dollars are "spent on infrastructure"? You imply too much is spent on infrastructure -- compared to what? When I look at the budget for my team (40 people), the vast majority is spent on salaries.


Hi Richard

I have done calcs a couple of times, here is one


I did not include salaries, I simply used the Public financial data, like Checkpoint is a $1b revenue company which all by itself dwarfed app sec. That by itself is quite silly, and then when you compare the assets that they are protecting it gets worse

Back of the cocktail napkin

$1b Checkpoint to protect $40b Cisco per year

~$500M (Fortify, Ounce, SPI, ...) to protect $114b (SAP(18b), MSFT (65b), ORCL (31b)) per year

So the "business" is saying that apps are about 3-4x more valuable assets than the network, yet infosec spent 2x on network security vs appsec. Not only is there no alignment its polar opposite.

The comments to this entry are closed.