"How do you achieve quick wins in Web Application Security, rooted in software, with measurable results that CIOs would appreciate? "
I started a thread on twitter with my answer, but that's not the format for reasoned discourse and detailed thinking. So, I decided to write about my thoughts a little more in detail here.
The answer is simple: You don't.
Jeremiah laid out most of the reasons in his post, but it comes down to one thing: an SDL improvement effort is a multi-faceted, process-based set of changes that lead to a long-term process that creates security through up-front consideration, not through solving one-off tactical issues.
In that way, the effort that Jeremiah lays out is exactly the same as that faced by the Quality proponents and Deming followers in the 80s. Everyone "knew" that quality was important, but nobody could ever justify the up-front costs of redesigning an entire process to create that kind of quality.
In short, there were no short-term wins.
Yet, today, almost every large corporation has implemented some form of Six Sigma/Lean/TQM program at some point.
The point I was making on twitter was that, if there's a model to follow to find the way to make application security palatable to the C-suite, it's the adoption model of Six Sigma.
I see three key points to the adoption of quality as a movement.
Business Pain without a forseeable end
The main driver behind the quality movements of the late 80s and early 90s was the pain that most organizations were feeling. The economic recovery of the 80s lead to a strong competitive environment, with extra pain coming from overseas competition. In the case of the auto industry, it was Japan. For other orgs, the pain came from other offshore and domestic competitors. And as the economy slowed in the late 80s/early 90s recession, many of these organizations looked for a sustainable competitive advantage to give them an opportunity to survive when others in their space couldn't.
The economy is leading us to a similar state today. Businesses are looking for an advantage as the economy turns down. (Note that I don't believe that application security leads to a sustainable competitive advantage in the same way that Lean and 6S do. I'm just making a parallel between the conditions).
Examples of Success
The most important factor in the adoption of quality processes was the very public example of success put forward by Honeywell, Motorola and GE. From Wikipedia:
"Other early adopters of Six Sigma who achieved well-publicized success include Honeywell (previously known as AlliedSignal) and General Electric, where the method was introduced by Jack Welch. By the late 1990s, about two-thirds of the Fortune 500 organizations had begun Six Sigma initiatives with the aim of reducing costs and improving quality."
Because these organizations put forward incredibly public accounts of their success, it was easy for other C-level executives to embrace the potential of the initiatives. While every leader wants to believe that they're an individual, the top levels of business are very much a CYA culture - only the success of one's peers allows one to take the risk.
This lead to...
Quality is Free
As these successes built, documentation started to build the belief in this type of program. This eventually lead to the mantra that "Quality is Free" - the idea that a successfully implemented quality program pays for itself in the long-term, regardless of the short-term cost/pain associated with the implementation.
My point to Jeremiah is that the Application Security community is living without the latter two of these points - we have no examples (save perhaps Microsoft) that show that a consistent focus on process-oriented security is successful. And we have no data that backs up the long-term cost benefit of the initiative.
In a situation where the task requires long-term process reorientation, short term wins aren't possible. We need to follow the model of the adoption of Six Sigma: We need to court those forward-thinking, Jack Welch-type CIOs who are willing to make this happen, and then have them make their successes public.
Only then will we see a widespread adoption of security-focused SDL reengineering initiatives.