Chapter 29. Application Security on a Budget

This chapter was coauthored with David Coffey, Director of SiteAdvisor and Product Security at McAfee.

A few big companies like Microsoft and Oracle have had enough security problems in their products that they’ve made massive investments in application security. For instance, the two of us frequently hear that Microsoft has invested at least $2 billion on the problem since about 2001.

Most companies aren’t so lucky (or, should we say, unlucky?). It’s tough to argue for budget, because, in most cases, it’s difficult to determine the value of product security activities. Here are the most important factors that will get people to spend time and resources on security:


Some standards, like PCI (the payment card industry standard maintained by Visa), do require some product security activities in order to be compliant. Similarly, some customers, particularly parts of the U.S. government, may have requirements that software security work be done, such as external audits.


Frankly, software users are desensitized to security flaws. Most companies can handle a lot of security flaws without any real consequences for the public. Microsoft, Oracle, and big security companies are the exceptions, not the rule.

Customer demand

Sometimes customers do expect some security, particularly security features. For example, customers may occasionally ask for SSL support in an application.

Feature parity

If another product has a feature like SSL, competing ...

Get The Myths of Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.