This week saw an unusual announcement from the Information Commissioner’s Office (ICO), where it warned organisations that they must make sure their websites are protected against SQL flaws, the “oldest hackers’ trick in the book”.
In its advisory, it pointed a case where a hotel booking website was fined £7,500 due to a vulnerability on its website, which allowed attackers to access the full payment card details of 3,814 customers.
Of course the ICO warned that similar failings and resulting breaches could result in fines up to £500,000, but the commissioner has not fined past the £200,000 mark, which it levied against the British Pregnancy Advice Service this year.
One question which stuck with me though was is the cost of fixing a flaw higher than the fine? Yes the fine comes with bad publicity and potential class action lawsuits, but considering the number of reported breaches we have seen in 2014, would a breach even be remembered by the public?
I asked Chris Wysopal, CTO and co-founder of Veracode, if he agreed with this point. In short, he did not, saying that if an organisation builds security testing into their development lifecycle, the cost should be less than £6,000 per application. “This is less than the £7,500 fine and much less than the total PR cost of dealing with the ICO and a public issue,” he said.
So the cost is more beneficial to fix than face the fine. I asked WhiteHat Security CTO Jeremiah Grossman the same question. He claimed that fixing most vulnerabilities is not that expensive, and maybe no more than several thousand dollars per vulnerability.
“In my experience, £500,000 would take care of the lion’s share of critical vulnerabilities in most organisations,” he said. “But, if they are producing more and more insecure code, then the cost goes up of course.”
Of course, with more websites and more vulnerabilities comes more cost, and Grossman said that collectively, the numbers can then get large.
He said: “Businesses have a trade-off to make with each and every application vulnerability. They can A) Expend precious development resources producing revenue generating features ― that if don’t ship, will cost the company money; or B) Use those development resources to fix a vulnerability that may get exploited and may cost the company money, which is far more difficult to quantity the event likelihood and associated cost.
“The decision of which to do is very tricky and currently tough to financial justify whichever direction is taken.”
His colleague Robert Hansen, vice president of WhiteHat Labs, said that many websites have no option when it comes to present flaws, as their entire businesses are based on exploits.
“For example, eBay would go out of business if they broke their View-Item pages to stop allowing cross site scripting,” he said.
“So for them, a £500,000 fine is nothing compared to the cost of fixing the vulnerability which would be tantamount to business collapse. So for them it would be worth accepting the
fine.”
Obviously it makes sense to fix flaws, but at the same time it makes sense to apply a patch, and no one wants a blue screen of death, so it has to be done at the right time.
In this case, it is less about industry pressure and OWASP top ten statistics pressuring changes to be made, replaced with a data protection commissioner calling the shots. I wonder if other websites will feel the same way about fixing or fines?