Budgeting for Web Application Security

Great post on Budgeting for Web Application Security by Jeremiah Grossman.

Some key approaches are:

1. Risk Mitigation - "If we spend $X on Y, we’ll reduce of risk of loss of $A by B%."
2. Due Diligence - "We must spend $X on Y because it’s an industry best-practice."
3. Incident Response - "We must spend $X on Y so that Z never happens again."
4. Regulatory Compliance - "We must spend $X on Y because PCI-DSS says so."
5. Competitive Advantage - "We must spend $X on Y to make the customer happy."