No company can shoulder the cost of rewriting all their applications and starting over with a secure coding mindset. And then there are all the open source projects out there for which there's often no one to shoulder any such legacy janitorial work.
Microsoft is frequently touted as the poster child for how SDLC makes a difference, but that's an interesting -- and possibly unrepeatable -- case, Grossman said.
The Microsoft that said it was going to start over and make its applications more secure was a monopoly, dominated the industry, had strong market share, and had "multiple billions" in the bank to spend on the effort, he noted. That's not the case for most companies faced with the prospect of revamping their software portfolio.
And today, a decade after Microsoft made that commitment, Microsoft itself couldn't likely make that commitment. "No one's going to disagree that the later versions of Windows, from Windows 7 to now, are solid. Microsoft did really good work. But what was the ROI for Microsoft in that?" Grossman said.
Instead of trying to revamping all the software, the effort should be two-pronged: 1) improve the process for remediating vulnerabilities as they are found, and 2) run new code, or actively managed code, through the SDLC.
That doesn't mean just incorporating SDLC elements, but also assessing the effectiveness of the new practices. "After you do a whole bunch of SDLC stuff, does the software actually come out more secure? If so, by how much? And is it worth it?" Grossmand said.
Security investments aren't going where they're most needed
The industry has made progress finding vulnerabilities, but the immensity of the web -- at a billion-plus websites strong -- means the cleanup effort is going to take a lot of time and resources. That means there will be more compromises, attacks, and infections in the meantime.
While the industry focuses the efforts toward fixing vulnerabilities and writing new code, there has to be a parallel effort to improve endpoint security to block the adversaries. "You could compromise a company just by sending an email. That's a pretty attractive route" for criminals, Grossman said.
"The spending models are all backward," Grossman said. Enterprises spend most of their IT budgets on software, followed by endpoints, and very little on networks, whereas the lion's share of the IT security budget goes to perimeter defenses, such as firewalls and endpoint security, and very little is spent on software.
Ransomware must be tackled now, before it's too late
Organizations need to look at what the adversaries are doing and allocate efforts and funding accordingly. And right now, the adversaries are looking at ransomware. The FBI has estimated payments of $23 million to $25 million were made to ransomware gangs in 2015, but that figure has ballooned to more than $200 million in the first quarter of 2016 alone. That's a staggering growth rate, especially since the latest research indicate ransomware still account for less than 5 percent of overall malware attacks.
Sign up for MIS Asia eNewsletters.