Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions WHITE PAPER 1 Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions 2013 Update WHITE PAPER
Jan 15, 2015
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions WHITE PAPER
1
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
2013 Update
WHITE PAPER
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions WHITE PAPER
22
We are witnessing a profound shift in how businesses and organizations manage information security and protect against cyber attacks. Traditional perimeter defenses — including firewalls, network IPS, APT solutions, and NGFWs — are no longer good enough. While those solutions help protect network infrastructures, chief information security officers (CISOs) know they also need to secure the software applications they write and deploy. The shift has created a need for comprehensive software security products and services — known as software security assurance (SSA) solutions — that help companies uncover vulnerabilities in their application code, fix defects quickly and effectively, and produce software that is impervious to attacks wherever they operate. In this way, CISOs build in a layer of defense to protect what has become a primary attack vector for cybercriminals: the software applications themselves.
In 2010, Mainstay investigated the business value of SSA solutions, studying 17 organizations that had deployed solutions from HP Fortify, a leading provider of SSA solutions. Our study found substantial benefits from adopting application security programs, with companies saving as much as $2.4 million per year from efficiency and productivity improvements, including more effective vulnerability detection and remediation, and streamlined compliance and penetration testing.
Mainstay revisited the SSA market in 2013, surveying more than a dozen companies across a similar cross-section of industries. The new study combined insights from executive interviews, industry research, and benchmark analysis to measure the range of benefits that organizations are seeing from their SSA investments.
2013 Study FindingS
In the new study, we discovered a market for SSA that is growing and maturing at a rapid pace — and yielding greater benefits than three years ago. Key findings include:
• Continued Significant Cost Savings. Companies in the new survey reported millions of dollars in cost savings and operational savings from adopting SSA solutions, exceeding the average savings reported in 2010 for most organizations. Specifically, SSA solutions enabled organizations to uncover vulnerabilities quicker, fix defects 20 to 100 times faster, and massively lower the costs of compliance and penetration testing. The result: Organizations saw their development effort shrink by as much as 40%, while developer productivity nearly doubled on average. The combination of test and remediation cost savings and development productivity improvements are generating benefits estimated at $8M per year.
• Expanded Revenue Potential. More companies are now embedding software security controls and best practices throughout the development lifecycle and leveraging SSA to protect and maximize revenue streams. With SSA, organizations virtually eliminated delays due to software security issues and significantly acceler-ated new product introductions. Our finding: Companies in some industries can capture an estimated $8M in additional revenue and save $15M in development costs.
Executive Summary
Table of Contents
Executive Summary 2
Key Findings: Cost and Productivity Savings 4
Key Findings: Strategic and Growth Benefits 8
Key Findings: Risk Mitigation 10
Benefit Summary: Unlocking the Potential of SSA 10
Conclusion 11
Appendix: Research Interviews 12
End Notes 12
Cyber security has emerged as a top priority for enterprises world-wide, but are automated software security assurance (SSA) solutions worth the investment? In this updated study of enterprise companies across multiple indus-tries, SSA solutions from HP Fortify were shown to generate millions of dollars in cost savings, revenue enhancement, and risk reduction. What’s more, companies found they could accelerate benefits using Fortify on Demand, a Security-as-a-Service solution that helped them ramp up faster, fix vulnerabilities sooner, and generate savings in days.
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions WHITE PAPER
3
Executive Summary (continued)• Faster time to Value with On demand Solutions. The 2013 survey found significantly more companies
adopting Security-as-a-Service (SaaS) testing solutions such as HP Fortify on Demand (FoD). Cloud-based software security services appealed to companies that wanted to test their software quickly and afford-ably, avoid the burden of installing and managing SSA applications, and minimize the need for in-house software security expertise. The solution’s test-anywhere flexibility also attracted companies with global development operations and extensive outsourcing partnerships. Specifically, the study found that companies using HP Fortify on Demand were able to ramp up software security programs faster and then find and fix critical vulnerabilities earlier, leading to faster realization of benefits.
• increasing SSA innovation. Software security programs have become a significant market differentiator for companies that compete in information-intensive industries or that provide software-enabled solutions to customers. While in 2010 we found a few early innovators that were using SSA solutions to stand out in their industries, 40% of organizations surveyed in 2013 saw SSA as a core strategy in advancing their market competitiveness. Creative strategies included using SSA to gain leverage in business deals — specifically by setting optimal asset prices based on security assessments — and to improve work- product quality from partners by using SSA to continuously enforce security standards.
• greater Overall Economic Value Potential. For companies that deploy SSA in comprehensive and innovative ways, Mainstay calculated that software security programs can generate as much as $50M in annual benefits, at least $13M more than the value potential of companies in 2010.
At a time when IT budgets are coming under closer scrutiny, CISOs are being called upon to justify SSA investments from a cost-benefit perspective. For CISOs, the thrust of this study is clear: Software security solutions are providing substantial operational and strategic benefits for companies across a range of industries and generating cost savings and revenue-enhancing benefits that more than offset the cost of the initial investment. And for companies that want faster payback, on-demand SSA solutions are an effective way to get started with an application security program with minimal upfront costs.
The study found that
software security
programs delivered
more than $8M in
annual cost avoidance
and savings on average.
For some organizations
in information- and
software-intensive
industries, benefits
could reach as much
as $50M annually.
Performance Metric improvement
Vulnerabilities per application From 100s to 10s
Average time to fix a vulnerability From 1 to 2 weeks to 1 to 2 hours
Percentage of repeat vulnerabilities From 80% to 0%
Compliance and penetration testing effort From ~$500k to ~$250k
Time-to-market delays due to vulnerabilities From 4+ incidents (30 days each) per year to none
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions WHITE PAPER
4
KEy FindingS: COSt And PROduCtiVity SAVingS
Companies adopting SSA solutions reported benefits beyond just risk mitigation. In fact, for the average company in the study, HP Fortify drove annual opera-tional expense (OPEX) savings amounting to millions of dollars per year.
Faster Scans
Without exception, companies said they preferred automated software security solutions to manual code-scanning procedures. Manual routines were not only slower, but also narrower in focus and less thorough. By speeding the scanning process — often by a factor of 20 to 30 — these companies could extend their security checks to cover more lines of code and reach a broader number of applications.
Of the solutions they evaluated, companies found that HP Fortify offered the fastest scanning performance — in minutes or hours versus days — largely because of flexible capabilities such as partial scans that allowed faster diagnosis of specific components of an application.
Findings
• Companiesreducedthetimerequiredtoscan1,000 lines of code from 60 minutes using manual methods to just 2–3 minutes using HP Fortify.
• Advancedcapabilities,suchaspartialscanning in HP Fortify, enabled companies to accelerate vulnerability testing by 2–10x compared to alternative approaches.
Finding Critical Vulnerabilities Faster
Organizations typically uncovered thousands of exploit-able vulnerabilities through initial code scans using SSA solutions such as HP Fortify. The discovery spurred them to repair these defects in short order and then introduce SSA-supported programs to produce cleaner code in the first place. The executives surveyed said HP Fortify excelled at uncovering “critical and high” types of vulnerabilities that put companies at greatest risk.
Findings
• SSAsolutionsuncovered10to100timesmorevulnerabilities than were previously known.
• IncontrasttootherSSAsolutions,HPFortifyuncovered more verified “critical and high” vulnerabilities.
Before Fortify60 minutes per 1,000 lines of code
After Fortify2–3 minutes per 1,000 lines of code
20–30X
Fortify Improved Scanning Speed
Fortify Provided Better Coverage of Critical and High Vulnerabilities
Critical and high vulnerabilities before Fortify
Critical and high vulnerabilities after Fortify
Vulnerabilities after prolonged usage of Fortify
Unknowncritical
and high vulnerabilities
Criticaland high
vulnerabilitiesuncovered
Allcritical and high vulnerabilities
eliminated
Credit Card Company Cuts Risk
Facing tough industry
regulations around
software security, a
leading credit card
company turned to
HP Fortify to rapidly
scan 100% of its
high-risk applications
for vulnerabilities.
The move came after
the company ran into
difficulties with an
alternative solution
that required complex
compiling and code
preparation. Fortify
offered faster scanning
of static code and
greater flexibility, and
the solution dovetailed
with the financial
company’s strong risk
management model.
Fortify is now expected
to help differentiate
the company in
the marketplace.
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions WHITE PAPER
5
On-dEMAnd SOFtWARE SECuRity: A FLEXiBLE, AFFORdABLE OPtiOn
In our 2013 survey of the SSA adopters, more companies were moving — or evaluating a switch — to cloud-based Security-as-a-Service (SaaS) solutions, specifically HP Fortify on Demand. Using this automated on-demand service, organiza- tions upload their application source code or provide a URL for testing. HP Fortify on Demand conducts static and/or dynamic tests, verifies the results, and presents findings in a web-based report.
HP Fortify on Demand appealed to companies that wanted fast implementations and time to value, with the study finding that companies uncovered the most critical and high-risk vulnerabilities faster and saw benefits earlier — within a week on average — using on-demand solutions. As shown in the adjacent figure, companies using on-demand solu- tions got over the “vulnerability hump” faster than those with equivalent on-premise SSA solutions.
Because users can upload code from anywhere, on-demand SSA was the preferred approach for organizations with geographically spread-out development operations or for firms that outsourced code development to global partners. Greater flexibility in working with third parties also made on-demand solutions ideal for evaluating digital assets during due-diligence and price-negotiation phases of a business acquisition. However on-premise SSA solutions continued to make sense for organizations that wanted greater customizability and control over their security programs. The figure below shows a comparison of the two approaches.
On Demand Accelerates Time to ValueGetting Over the ‘Vulnerability Hump’ Faster
Comparing On Demand with On-Premise SSA Solutions
On
Prem
ise
On
Dem
and
Unknownvulnerabilities
Unknownvulnerabilities
Knownvulnerabilities
Knownvulnerabilities
Setu
p Co
mpl
ete
Setu
p Co
mpl
ete
Critical/High Fixed
Critical/High Fixed
Stea
dy S
tate
3
21
Ramp-up time ••
Fortify Impact Pre-
Fortify With Fortify
Unknownvulnerabilities
Setu
p Co
mpl
ete
Stea
dy S
tate
On D
eman
d
••
1Ramp-up Time• On-Premise: 1–6 months• On-Demand: 1–2 weeks
2Critical/High Vulnerabilities Addressed• On-Premise: 1–12+ months• On-Demand: 2–8+ weeks
3Most Vulnerabilities Addressed• On-Premise: allows fine-tuning daily• On-Demand: achieve steady state sooner
Critical/highvulnerabilities
Knownvulnerabilities
On Premise On DemandShared
More regular deeper security scans
Security scans customized to diverse
applications
Increased ROI from trained software
security staff
Compliance with IP/data within four walls
All critical andhigh vulnerablities
eliminated
Developerproductivity
improved
More secure third-party/outsourced development
Rapid implementation and buy-in
Staff headcount avoidance
30x faster scanning
Development effort saved with scan reports
Analysis and guidance from security experts
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions WHITE PAPER
6
Streamlined Compliance and Penetration testing
A number of companies in the survey face strict government and industry regulations for application security, particularly organizations in the financial services and healthcare industries.4 The extra develop-ment and auditing effort needed to comply with these standards can be costly, as are the potential penalties for non-compliance.
In our study, executives said SSA solutions helped control costs by streamlining regulatory compliance projects, substantially reducing fees paid to outside auditors and security consultants. By configuring the SSA solution to address specific compliance mandates, organizations quickly identified and ranked vulnerabili-ties according to severity. The solution generates a report that documents these activities, creating an audit trail for regulators.
Findings
• SSAreducedmanualforensicseffortneeded to comply with industry audits, saving $100K per year.
• TheaverageorganizationadoptingSSAsawitsfees paid to compliance auditors fall by 89% — or about $15K annually.
6
$17.5K
0
$5K
$10K
$15K
$20K
$2K
89%reduction
SSALegacy
Fee
Savi
ngs
Auditor Compliance Fee Savings
Fix More Vulnerabilities with Less Effort
Companies in both 2010 and 2013 said SSA solutions helped them to not only find verified vulnerabilities easier, but also fix them faster. Slow remediation cycles were common in pre-SSA environments — often lasting 2–3 weeks — largely because most defects weren’t uncovered until late in the development process when remediation can be time-consuming and expensive.1 When vulnera-bilities made their way into production, the remediation project increased exponentially in scope, requiring as much as 10 to 100 times the effort to resolve. At this point, developers were often removed from high-value tasks to solve the problem, requiring overtime and adversely impacting software quality.
Findings
• ByintroducingautomatedSSAtechnologyandbest practices, organizations reduced average remediation time from 1 to 2 weeks to 1 to 2 hours.2
• AfteradoptingSSAsolutions,remediationrequiredfewer resources — from 4-5 additional FTEs to virtually zero — saving an estimated $44K annually in remediation costs per application.
• Fortheaverageorganization,thesecostsavingsare estimated conservatively at $3M per year.3
Canadian Government Agency Saves $100K with On-Demand SSA
With its widely
distributed software
development organi-
zation, this agency
needed a convenient
and affordable way to
secure its sensitive
applications. Standard-
izing on HP Fortify on
Demand was the best
option in this situation,
helping the agency
eliminate software
vulnerabilities without
hurting developer
productivity. In fact,
the agency estimates
it’s saving more than
$100K per year using
HP Fortify on Demand
when compared to
manual forensic
methods.
10x Faster Remediation of Verified Vulnerabilities with Fortify on Demand
Fixing Effort with Fortify on Demand
Fixing Effort without Fortify on Demand
10X
Fixing Effort with Fortify on Demand
Fixing Effort without Fortify on Demand
10%
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions WHITE PAPER
7
ACCELERAting AdOPtiOn
To gain support from senior leadership, about 90% of the executives said that proving SSA’s payback potential was critical. Indeed, the most successful SSA programs employed a set of best practices that helped organizations accelerate adoption and derive more value from their solutions. Combining people, process, and technology, these practices include:
People: drive awareness of SSA by securing support from key stakeholders.
• Communicatethebusinessvalueofsoftwaresecuritytotheboardofdirectors.
• Setaggressivegoalsforapplicationsanddevelopercoverageinthefirstyear.
• Investinsoftwaresecurityeducationandtraining.
Process: drive vulnerability-prevention processes deeper into the development organization.
• Requirecodescansatstrategiccheckpointsinthedevelopmentprocess—suchasduringnightlybuilds — before releasing applications to production.
• Rapidlyintegratesoftwaresecurityresourceswithdevelopmentteams.
• Includesoftwaresecurityperformanceaspartofdevelopers’jobappraisals.
• UrgeadoptionofSSApracticesbyapplicationdevelopmentpartnersandtracktheircompliance.
technology: integrate SSA into SdLC automation tools.
• ConnectSSAtoolstoabug-trackingdatabasetoimprovetime-to-fix.
• IntegrateSSAsolutionwithauditandcompliancetoolstoacceleratecomplianceprocessandmaintainaudit trails.
• Systematicallyprioritizevulnerabilitiestofocusremediationplansandstreamlineremediationandpenetration-testing activities.
Similarly, after adopting SSA and instituting more rigorous code scanning and remediation processes — along with improved developer awareness and educa-tion — organizations found they consistently met quality standards, and thus could plan and focus their penetra-tion testing better and reduce the overall effort required.
Finding
• Theaverageorganizationachieveda50%reduction in penetration testing costs, translating into annual savings of more than $250K.5
“Fortify gave us a
48-fold increase
in our ability to
scan applications.”
– Global Consumer Foods Giant
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions WHITE PAPER
8
Overall development Productivity Savings
The benefits of SSA solutions increased over time, companies noted, as developers learned from scanning results and adopted more secure coding practices at the start of new projects. As a result, the number of repeat vulnerabilities and defects found in the software declined, software tests were completed faster, and overall development cycles were shortened.
Findings
• Thepercentageofrepeatvulnerabilitiesfoundinsoftware declined from about 80% to nearly zero.
• Becausedevelopersspentlesstimefindingandfixing code flaws, companies reduced their total development effort per application by 10% to 40%.
• Developersusedtheextratimetoenhanceexisting code and tackle new software projects.
• Theseproductivityimprovementsaretranslatinginto savings of as much as $5M per year at some companies.
KEy FindingS: StRAtEgiC And gROWtH BEnEFitS
Faster time to Market
For companies that sell e-commerce and other commer-cial software, discovering security flaws late in the development life cycle can delay new product introduc-tions (NPI) by weeks or months, putting revenue and market share at risk and adding millions of dollars in development costs. One software company in the 2010 study reported 3 to 5 product delays a year as a result of security defects that surfaced close to launch. In 2013, one company reported missing a launch date due to application security issues, cutting into product sales as a result. Today, executives at this company say that security-driven production delays have been virtually eliminated, thanks to a more secure development lifecycle.
Another company interviewed in 2013 missed a stringent release date when it discovered application vulnerabilities late in the development lifecycle, which triggered penalties under a contract agreement.
By embedding SSA tools, training, and best practices in their product development process, these companies were able to minimize security-driven delays and speed product launches. Fewer product delays also helped control development costs at these companies, allowing them to deploy more resources to code development rather than remediation.
Findings
• Companiesexperiencedfewersecurity-relatedproduct delays; previously, security vulnerabilities discovered late in the development cycle could delay launches by 3–4 months in some cases.
• Companiescancaptureanestimated$8.3Mofadditional software revenue through a compre-hensive SSA program to minimize product delays.6
• Companiescanrealizedevelopmentcostsavingsof about $15M per year from SSA-driven reductions in product delays.7
$536K
0
$200K
$400K
$600K
$268K
50% reduction in penetrationtesting effort
SSALegacy
Pene
trat
ion
Test
ing
Cost
s
Source: Mainstay Partners
Penetration testing was reduced by 50% or more—improved awareness, education, quality of code and automated testing reduced pen testing requirements
Penetration Testing SavingsPenetration Testing Fee Savings
Global Information Solutions Company Secures Its Future
To implement
consistent software
security standards
across several
continents, this IT
solutions company
replaced its legacy
code-scanning tool
with HP Fortify on
Demand. Since the
switch, the company
increased scanning
speed and is finding
and fixing more issues
than ever before.
Today, the company
uses security checks
to evaluate and
approve partner deals
and safeguard the
company’s reputation.
“HP Fortify has brought
about a fundamental
change to remediation
actions, from security-
oriented to basic
coding design and
structure.”
– Global Information Solutions Company
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions WHITE PAPER
9
North American Tele-com Company Speeds Product Launches
Although this telecom
had a well-defined
software security
strategy, it needed
a robust solution to
make it operational.
Enter HP Fortify, which
enabled the company
to scan code 30 times
faster and uncover
10 times more
vulnerabilities. Most
critical issues have
been eliminated and
early fixes are helping
the company save
millions of dollars
by avoiding product
launch delays.
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
greater Leverage in Business transactions
A number of companies in the study are capturing additional value by deploying SSA programs to gain an edge during negotiations to buy digital assets or sell their own software properties. One company, for example, is using Fortify to perform software security audits of acquisition targets that own valuable software products. The audit results become part of deal negotiations and can trigger price breaks if the target’s core applications are found to have significant vulnerabilities.
One company we interviewed in 2013 found that using HP Fortify on Demand made it easier to complete security assessments of targeted firms, helping it save millions in due-diligence labor costs. Not every company will take advantage of this kind of SSA deployment, but for a business depending on M&A activity to grow or innovate, the strategy can yield substantial business returns.
Findings
• Forcompaniespursuingacquisitions,HPFortifyprovided an objective method for measuring the security of digital assets, providing leverage during price negotiations.
• Inthecaseofacompanycompletingtwo$100Mdeals a year, using SSA to assess the software assets of prospective acquisitions can yield valuation benefits of as much as $10M.8
• OrganizationsreportedthateasilydeployedHPFortify on Demand helped contain due-diligence costs during asset acquisition deals. One company estimated the value of their savings at $5M per year.
• Forcompaniesdivestingsoftwareassets,HPFortifyhelped create a secure, trusted brand image and provided pricing advantages in large deals.
Supporting Software development in distributed and Consumerized Environments
The 2013 study found growing use of SSA solutions to improve security for software development operations that are outsourced or spread out geographically. SaaS solutions such as HP Fortify on Deman d were seen as a cost-effective alternative for testing the security of software created by teams in widely dispersed locations.
Companies in both studies leveraged solutions from HP Fortify to support “pay for performance” programs that enabled companies to adjust fees paid to outsourcing partners based on the “cleanliness” of the code delivered.
Findings
• OnecompanyusedHPFortifyonDemandtoreduceits effort to scan and remediate outsourced software code, saving the work of 5–10 FTEs plus $100K in remediation costs and translating into an estimated $1.3M in labor savings annually.
• CompaniesusingSSAtoscreenoutsourcedcodeand optimize pricing can capture fee savings of about $100K annually while improving the overall quality of code delivered by development partners.9
• WiththeconsumerizationofITgrowing—andwithit the popularity of all kinds of consumer-style apps — more companies are using HP Fortify on Demand to easily scan and secure diverse applications.
“Fortify brought a new
paradigm to software
security and helped
us mature into a
secure IT enterprise.
Fortify literally helps
us protect the
company’s reputation
in the industry.”
– Leading U.S. Bank
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions WHITE PAPER
10
KEy FindingS: RiSK MitigAtiOn
Avoiding Costs and damages From data Breach
Minimizing the risk of data breaches and security failures is a top priority for CISOs. The damages caused by intrusions can be wide ranging and costly, leading to millions of dollars in legal and PR fees, remediation expenses, lost revenue, and customer churn.10 Security executives interviewed in the current study saw SSA solutions as one of the most effective tools for controlling this risk.
Findings
• Theaveragecostofadatabreachisabout$5.4M, or $188 per compromised record.11
• Companiescansaveanestimated$540Kperyear by adopting SSA solutions to avoid major data breaches.12
Avoiding non-Compliance Penalties
Companies in regulated industries can face significant fines when security gaps are discovered in their systems and software — and even more when organizations fail to resolve these vulnerabilities in a timely manner. In the payment card industry, for instance, penalties can range from $5K to as much $25K per month. When you also factor in lost sales, customer churn, and remediation expenses, the full cost of PCI non-compliance can be substantially more.13
Finding
• Byensuringcompliancethroughsystematicsoftware security testing, companies can avoid approximately $100K in penalties annually.14
BEnEFit SuMMARy: unLOCKing tHE POtEntiAL OF SSA
Every company adopting SSA is different, and so are the benefits they realize. As shown in the figure below, for those organizations capable of exploiting every opportu-nity for value creation, the potential can reach nearly $50M per year — an increase of $13M over our 2010 estimate. Still, the benefits accruing to a particular company will vary according to its business profile, including its size, industry, and business strategy.15
To estimate the benefits for an individual company, we recommend upfront research to establish key bench-marks for that organization. These would include the number of applications developed or tested per year, current time-to-fix cycles, and current developer costs, among other metrics. An accurate benefit estimate will also include a time component. For example, while most of the companies in the study captured benefits within the first year of SSA deployment, many of the more significant benefits weren’t realized until the second
Total Annual Economic Value Potential for SSA16
Vulnerability RemediationCost Savings
Compliance andPenetration Test Savings
Application OutsourcingPay for Performance
NPI Time-to-MarketCost Savings
NPI Revenue Impact
M&A Valuation Bene�ts
Total Impact
$8.3M
$15.0M
$3M
Breach Cost Avoidance
$0.1M
$0.1M
Compliance PenaltyCost Avoidance
$0.5M
$0.3M
Distributed DevelopmentSavings (On Demand)
$1.3M
DevelopmentProductivity Savings
$5.0M
$10.0M
Software Asset AcquisitionSecurity Effort Savings
$5.0M
$49.0M
Source: Mainstay Partners
“Fortify has saved us
millions of dollars
by ensuring that
applications go to
market in time.”
– North American Telecom Company
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions WHITE PAPER
11
year, when companies had completed the organizational and process changes necessary to integrate SSA into a comprehensive software development life cycle (SDLC) program.
COnCLuSiOn
During a time of tightening IT budgets, security executives are facing increasing pressure to justify investments — even those as critical as software security — from a business-value perspective. As this study shows, SSA
solutions offer substantial efficiency and productivity benefits that help companies control costs, speed software development, and even boost revenue and asset values.
Three years after our initial 2010 study, companies adopting SSA solutions continue to report savings in the millions of dollars from:
• Moreefficientandeffectivevulnerabilityassessmentand remediation.
• Streamlinedregulatorycomplianceandpenetrationtesting efforts.
• Fewersecurity-relateddelaysaffectingthelaunch of new products.
• Morefavorablepricingofoutsourcedcode development.
• Improvedvaluationsofthesoftwareassetsofmerger-and-acquisition targets.
Companies in the 2013 study have evolved on several fronts, however. We saw more consistent adoption of software security best practices across companies, allowing for better industry benchmarking. Significantly, we saw broader interest in and greater adoption of on-demand SSA solutions, which helped companies extend protection to geographically dispersed develop-ment operations and enabled easier evaluations of third-party digital assets.
By leveraging on-demand software security-as-a- service solutions, companies could further boost the productivity of their development operations and secure additional savings. As a result, the total economic impact of SSA for companies in 2013 increased to just under $50M, about $13M more than SSA’s estimated value-generating potential in 2010. The growing consumeriza-tion of applications is only expected to expand the value and usefulness of cloud-based SSA models in the years ahead.
To understand the full potential of Software Security Assurance solutions in your organization, go to www.fortify.com/ssa-basics/overview/index.html. For information on HP Fortify and other products and services from HP Fortify, go to www.fortify.com.
WHAt tO LOOK FOR in A SOFtWARE SECuRity SOLutiOn
Mainstay’s review of 30 software security providers found that not all vendors offer the same functionality and services. When evaluating the options, organizations should look for an SSA value-maximizing solution that:
• Offersbothextensiveremediationfunctionalityand supporting services.
• Providessupportforcross-teamcollaboration— bringing information security teams, develop-ers, risk officers, and auditors together in a coordinated effort.
• Seamlesslyintegrateswithexistingapplicationlife-cycle management (ALM) and development environments, shortening time to remediation.
• Providesin-depthguidanceonhowtocorrecteach security vulnerability, thus accelerating remediation further.
• Offersrobustgovernancecapabilities,including the ability to define and communi-cate security policies and rules across the organization.
• Providesresearchonthelatestthreattrendsand techniques, ensuring that teams are aware of all emerging threats.
• Providesstaticanddynamictesting capabilities and expertise.
• Comprehensivelyaddressesalltypesofsoftware — mobile, client, web — across all enterprise technology stacks.
North American Tele-com Company Speeds Product Launches
Although this telecom
had a well-defined
software security
strategy, it needed
a robust solution to
make it operational.
Enter HP Fortify, which
enabled the company
to scan code 30 times
faster and uncover
10 times more
vulnerabilities. Most
critical issues have
been eliminated and
early fixes are helping
the company save
millions of dollars
by avoiding product
launch delays.
“Both on-premise
and on-demand
SSA solutions have
their advantages
and we need both.”
– Transportation and Logistics Company
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions WHITE PAPER
12
APPEndiX: RESEARCH intERViEWS
To more clearly understand the economics of software security, Mainstay conducted more than a dozen interviews with information security leaders, including chief information security officers (CISOs) and information security managers and directors. Seventeen private- and public-sector organizations were studied in 2010, and an additional nine in 2013, spanning a cross-section of industries and geographic regions.
• industries studied: financial services, high technology, transportation, services, healthcare, agriculture, and telecommunications
• Regions: North America, Europe, Asia Pacific
• Company size: $1–5B (30%), $5–25B (29%), >$25B (41%)
The interviews addressed various aspects of software security objectives, strategies, and implementation, along with the specific benefits of Fortify solutions. Data gathered from these in-depth interviews formed the basis for the business value estimates presented in the study.
End nOtES1 Late-cycle methods such as penetration testing, for example, requires significantly more time to track down defects in the source code. 2 The reduction in remediation time is due to several factors, including SSA capabilities and practices that (1) pinpoint the exact location of a flaw in the code lines,
(2) prioritize vulnerabilities to focus resources on the most critical flaws, and (3) provide guidance on how to correct each vulnerability.3 Estimate based on a conservative 10 vulnerabilities per application, and 67 critical applications.4 Mandates and standards commonly impacting application development projects include: the Payment Card Industry Data Security Standards (PCI DSS), the Federal
Information Security Management Act (FISMA), Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPPA), and North American Electric Reliability Corporation (NERC) standards.
5 Assumes 50% reduction in penetration testing effort; legacy environment costs are based on an average of 8 penetration tests per year at $67K per test. 6 Estimate assumes a $20B company earning 1.25% of its profit per quarter from new product sales; 50% of product introductions are assumed to benefit from SSA
efficiencies, which help avoid an average of 4 critical vulnerabilities per product and 30 days of delays.7 Estimate assumes a $20B company incurring new product development costs equal to 3% of revenue; 50% of new products, or $300M in expenses, are assumed to
be impacted by SSA efficiencies, which help avoid an average of 4 critical vulnerabilities per product and 30 days of delays; the resulting 5% productivity increase saves $15M in development expenses.
8 Estimate assumes an average deal discount of 5% from SSA code analysis.9 Assumes average fee discounts of 1% applied to annual outsourced development expenditures of $10M. 10 See “Top 10 Data Breaches and Blunders of 2009,” eSecurity Planet: http://www.esecurityplanet.com/views/article.php/3863556/Top-Ten-Data-Breaches-and-Blun-
ders-of-2009 htm. 11Ponemon Institute, 2013.12 Assumes that the average company would experience a major data breach once every 10 years.13 Assumes that an average penalty period would last 6 months. Research indicates that penalties make up only 30% of the full impact of non-compliance (“Industry View:
Calculating the True Cost of PCI Non-Compliance,” Ellen Lebenson, CSO Online).14Assumes a non-compliance period lasting 6 months. Average penalty periods range from 3 to 24 months. 15 For example, only companies that sell commercial software (or that provide software-enabled products or services) are likely to gain the revenue and cost benefits from
accelerating new product introductions. Similarly, only companies actively engaged in M&A activities can achieve the valuation benefits from SSA-enabled acquisition-valuation initiatives. In addition, not all of the estimated benefits should be understood as “hard savings” that directly impact the profit and loss statement. For example, benefits from avoiding costs — such as a breach remediation — may be considered “soft” because some organizations may never experience a breach event.
16 2010 findings included, for Sample Customer. Assumptions include: $20B customer, 10% new product revenue contribution; 50% first year margins; 2 month product delay due to vulnerabilities; 500 critical/severe vulnerabilities; $3.8M cost per breach — 10% probability; $200M in M&A @ 5% valuation benefits.
17 2013: 500 more third-party developers covered (10 FTE effort savings); 1,000 more new apps @ 50K per app; 10% in security effort savings from acquisition of software assets. Please see notes for more details on how 2013 savings were arrived at.
Sponsored by:
Research and analysis for this study was conducted by Mainstay, an independent consulting firm that has performed over 300 studies for
leading information technology providers including Cisco, Oracle, SAP, Microsoft, Dell, Lexmark, HP, EMC and NetApp.
This case study was based on interviews with security executives currently using SSA solutions. Information contained in the publication has been obtained
from sources considered reliable, but is not warranted by Mainstay.
Copyright © 2013 Mainstay.
Mainstaywww.mainstaycompany.com
2929 Campus Drive, Suite 150 San Mateo, CA, 94405
p. 650.638.0575 f. 650.638.0578