If you had £20k to spend on web product security and could choose between training your team of developers in appropriate secure coding skills or purchasing an application firewall, which would you choose?
Here’s my answer – I’d buy the firewall.
Now, there might be a few of you who are surprised at my response and a number of you who disagree. That’s great, I don’t mind people disagreeing with me because I’d love for you to prove me wrong and help me make a better decision if, indeed, you can argue why I’m making the wrong one.
There are a number of reasons why I’m going to take the device over training and here they are:
1. The firewall buys me risk mitigation that I can measure. It doesn’t matter if the product contains security holes (known or unknown) because the device will prevent the vulnerabilities from being exploited.
2. The money spent on training will be wasted. The developers will still write buggy code in their haste to meet deadlines and after six months most of them will have left to either become plumbers or security consultants.
Ok, I’m generalising – and I know plenty of developers who did not become plumbers and one in particular, namely me, who did become a security consultant – and I frequently hear anecdotal evidence relating to the value of training but I reckon we can do a better job without spending the money. For example, take a look at the fantastic opensource resources (IMHO) provided by Foundstone: Hacme Bank, Hacme Books and the rest of their free security training tools (go to Resources – Free Tools). I can think of few reasons why you shouldn’t be encouraging your developers to work through the training guides provided with these resources and many reasons why you should. And I take my hat off to Foundstone for continuing to provide and update them.
Application firewalls are not a solution to insecure code, but they are a solution when the problem you are trying to solve is an insecure product. With web products now reaching incredible levels of complexity it doesn’t matter how well trained the developers are, you will have bugs, and the likelihood is that some of those bugs could result in a security breach and/or your business falling out of compliance with some legislation or other. In which case if I’ve got 20 grand to spend on either training or an application firewall, I’m off to the firewall shop.
To close off, this cartoon on the SecurityBuddha blog made me laugh out loud…