What Software Security Means to Business

Abstract

Software security: we know we want it, we make choices and tradeoffs that have implications for it, yet, in a general sense, it has escaped true definition and defied measurement. Definition and measurement though are sequential, meaning that something must be defined to make any comparisons against it. In a technical sense, many have positioned software security as protecting the confidentiality, integrity and availability of data, resources and sometimes the application itself. This „definition” tries to capture security broadly but in practice the importance of these things — and the value that defending them has to an organization — varies wildly.

More important than defining what security is, we need to capture what it means in context, and what it costs. The only definition that really matters to the enterprise then is one that deals with the contextual nature of security, risk, and pain. This paper is an attempt to explore what software security means to enterprises. Its purpose is to lay the foundation for software security metrics that are truly actionable by the business community to help drive security decisions for the software they buy, build, and outsource. The thoughts, ideas, insights and proposals here come from the members of the Application Security Industry Consortium (AppSIC)0, a group of software security executives, researchers, analysts and practitioners from the vendor, enterprise consumer, academic, and analyst communities. Our intention in writing it is to spur debate on the topic, and, through the input of the community, create a foundation upon which to build software security metrics that are meaningful to business.