Beyond the technical requirements and tools for application security, greater emphasis is being placed on risk management and mapping security risks to business goals.
While organizations like OWASP provide advice around Web application security threats and countermeasures, there is a greater need for standard metrics to assess vendor tooling as well as the business risks of a security strategy.
The Application Security Industry Consortium (AppSIC), which launched in December 2005, aims to fill that void by providing education on security metrics, methodologies and best practices.
Ed Adams, founder of AppSIC and CEO of Wilmington, Mass.-based Security Innovation, said companies are lacking that information to enable them to assess their own security and application security. Companies need metrics so they know what their return on investment is on security purchases, he said.
"Software is not static -- it is constantly changing," added Herbert Thompson, chairman of AppSIC and chief security strategist at Security Innovation. "You can't just measure the executable; you need to measure the vendor."
By providing metrics on the vendor and its products, customers can better understand what they're getting and if it's worth their investment, Thompson said. "If you don't have the metrics, you don't know if you're getting more secure," he said.
Vendors are to some extent being asked to eat their own dog food when it comes to application security. One of AppSIC's deliverables is a list of 20 questions that end users are encouraged to ask their security vendor in order to assess risk and reliability associated with using a particular product.
"AppSIC's goals are to help companies select software and to help developers decide how to allocate their security budget," Thompson said. "But they need metrics to help them."
It doesn't stop with the initial purchase, Thompson added. You have software patches, and you have to measure the vendors' processes for handling them and working with customers. Then there's the compliance issue: How secure is that vendor's products? Who's liable if there's a breach?
"Compliance has changed the game," Thompson said. Vendors are used to selling functionality; however, insecure software not only provides "additional functionality" but also adds liability.
AppSIC's members are a mix of customers, analysts, and vendors, including Microsoft, SAP, ING, Compuware and Oracle. "We want to make sure the methodologies we come up with have representation from all cross-sections," Thompson said.