Budgeting in Web Application Security

Foreword

In recent years, cyber attacks have become more targeted, complex, and professional, while the technical barriers to carrying them out have decreased. Many attacks are economically or geopolitically motivated and executed by professionally organized teams.

Organizations must therefore allocate an appropriate budget for technical security measures. This article examines how IT security budgets are typically distributed and what share penetration testing (pentesting) should occupy within web application security.

Effective application security requires systematic testing for vulnerabilities in business logic and technical implementation — whether the target is a cloud-based platform, a web application, or a mobile app.

General Budget Development in IT Security

Organizations should dedicate a substantial portion of their IT budget to information security in order to continuously improve their defenses and respond effectively to incidents. The importance of these investments is still widely underestimated. The budget composition of the participating companies is shown in Figure 1. In our view, many organizations continue to devote insufficient attention to the topic given the current threat landscape.

A 2018 study by Capgemini Invent divides IT security budgets into four categories: Prevention (e.g., security strategy, IT risk management), Protection (e.g., access control, data security), Detection (e.g., SIEM, SOC), and Response & Recovery (e.g., BCM, crisis management). On average, 20% was allocated to prevention (25% in 2017), 43% to protection (43% in 2017), 22% to detection (20% in 2017), and 15% to response and recovery (14% in 2017).

The study also analyzed the distribution between internal resources (e.g., in-house security staff) and external service providers. Across all sectors, most organizations split their budget roughly equally between the two. This distribution also highlights the intense competition for qualified security professionals.

Kaspersky's IT Security Budget Calculator

Kaspersky offers a budget calculator that helps organizations determine an appropriate IT security budget based on their size and industry. The underlying trend shows steadily rising expenditures, driven by growing IT complexity and regulatory requirements such as the GDPR.

to Kaspersky's IT Security Budget Calculator

Budgeting for Penetration Testing

In the study cited above, participants invested 22% of their security budget in vulnerability detection. This category encompasses both manual and automated penetration testing. This figure aligns with our recommendations, though every organization must be assessed individually. Penetration testing budgets in particular should not be cut too aggressively, as they play a critical role in preventing potentially devastating attacks.

Cost Progression Versus Efficiency in Manual Web Application Security

Absolute IT security is unattainable — organizations must therefore pursue a cost-efficient approach toward an optimal level of protection. The general principle holds: the more time security engineers invest in analysis, the more meaningful the results.

The curve illustrated above represents the typical progression for manual penetration testing. Beyond a certain point, the additional insight gained per hour invested diminishes significantly. Our services aim to operate within the optimal range of this curve, delivering maximum security value for the available budget.

Our Portfolio for Agile Web Security

At turingpoint, we combine manual and automated testing in a coordinated assessment process to achieve the best possible results. Additionally, external expertise can be integrated through cost-effective managed bug bounty programs.

Sources

Capgemini Invent, Figure 1 and budget development in IT security, 2019, Information-Security-Benchmark-2019.