Professional Documents
Culture Documents
Report Security
Report Security
Report Security
WHITE PAPER
WHITE PAPER
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions 2013 Update
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
WHITE PAPER
Executive Summary
Cyber security has emerged as a top priority for enterprises worldwide, but are automated software security assurance (SSA) solutions worth the investment? In this updated study of enterprise companies across multiple industries, SSA solutions from HP Fortify were shown to generate millions of dollars in cost savings, revenue enhancement, and risk reduction. Whats more, companies found they could accelerate benets using Fortify on Demand, a Security-as-a-Service solution that helped them ramp up faster, x vulnerabilities sooner, and generate savings in days.
We are witnessing a profound shift in how businesses and organizations manage information security and protect against cyber attacks. Traditional perimeter defenses including rewalls, network IPS, APT solutions, and NGFWsare no longer good enough. While those solutions help protect network infrastructures, chief information security ofcers (CISOs) know they also need to secure the software applications they write and deploy. The shift has created a need for comprehensive software security products and servicesknown as software security assurance (SSA) solutionsthat help companies uncover vulnerabilities in their application code, x defects quickly and effectively, and produce software that is impervious to attacks wherever they operate. In this way, CISOs build in a layer of defense to protect what has become a primary attack vector for cybercriminals: the software applications themselves. In 2010, Mainstay investigated the business value of SSA solutions, studying 17 organizations that had deployed solutions from HP Fortify, a leading provider of SSA solutions. Our study found substantial benets from adopting application security programs, with companies saving as much as $2.4 million per year from efciency and productivity improvements, including more effective vulnerability detection and remediation, and streamlined compliance and penetration testing. Mainstay revisited the SSA market in 2013, surveying more than a dozen companies across a similar cross-section of industries. The new study combined insights from executive interviews, industry research, and benchmark analysis to measure the range of benets that organizations are seeing from their SSA investments.
Table of Contents
Executive Summary Key Findings: Cost and Productivity Savings Key Findings: Strategic and Growth Benets Key Findings: Risk Mitigation Benet Summary: Unlocking the Potential of SSA 2 4 8 10 10
In the new study, we discovered a market for SSA that is growing and maturing at a rapid paceand yielding greater benets than three years ago. Key ndings include: Continued Signicant Cost Savings. Companies in the new survey reported millions of dollars in cost savings and operational savings from adopting SSA solutions, exceeding the average savings reported in 2010 for most organizations. Specically, SSA solutions enabled organizations to uncover vulnerabilities quicker, x defects 20 to 100 times faster, and massively lower the costs of compliance and penetration testing. The result: Organizations saw their development effort shrink by as much as 40%, while developer productivity nearly doubled on average. The combination of test and remediation cost savings and development productivity improvements are generating benets estimated at $8M per year. Expanded Revenue Potential. More companies are now embedding software security controls and best practices throughout the development lifecycle and leveraging SSA to protect and maximize revenue streams. With SSA, organizations virtually eliminated delays due to software security issues and signicantly accelerated new product introductions. Our nding: Companies in some industries can capture an estimated $8M in additional revenue and save $15M in development costs.
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
WHITE PAPER
The study found that software security programs delivered more than $8M in annual cost avoidance and savings on average. For some organizations in information- and software-intensive industries, benets could reach as much as $50M annually.
Performance Metric Vulnerabilities per application Average time to x a vulnerability Percentage of repeat vulnerabilities Compliance and penetration testing effort Time-to-market delays due to vulnerabilities
Improvement From 100s to 10s From 1 to 2 weeks to 1 to 2 hours From 80% to 0% From ~$500k to ~$250k From 4+ incidents (30 days each) per year to none
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
WHITE PAPER
Finding Critical Vulnerabilities Faster Organizations typically uncovered thousands of exploitable vulnerabilities through initial code scans using SSA solutions such as HP Fortify. The discovery spurred them to repair these defects in short order and then introduce SSA-supported programs to produce cleaner code in the rst place. The executives surveyed said HP Fortify excelled at uncovering critical and high types of vulnerabilities that put companies at greatest risk.
Findings SSA solutions uncovered 10 to 100 times more vulnerabilities than were previously known. 2030X In contrast to other SSA solutions, HP Fortify uncovered more veried critical and high vulnerabilities.
Findings Companies reduced the time required to scan 1,000 lines of code from 60 minutes using manual methods to just 23 minutes using HP Fortify. Advanced capabilities, such as partial scanning in HP Fortify, enabled companies to accelerate vulnerability testing by 210x compared to alternative approaches.
4
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
WHITE PAPER
On Demand
Critical/high vulnerabilities
Known vulnerabilities Ramp-up Time On-Premise: 16 months 2 On-Demand: 12 weeks Critical/High Ramp-up timeVulnerabilities Addressed On-Premise: 112+ months On-Demand: 28+ weeks Fortify Impact With Fortify
PreFortify
Because users can upload code from anywhere, on-demand SSA was the preferred approach for organizations with geographically spread-out development operations or for rms that outsourced code development to global partners. Greater exibility in working with third parties also made on-demand solutions ideal for evaluating digital assets during due-diligence and price-negotiation phases of a business acquisition. However on-premise SSA solutions continued to make sense for organizations that wanted greater customizability and control over their security programs. The gure below shows a comparison of the two approaches. Comparing On Demand with On-Premise SSA Solutions On Premise
More regular deeper security scans Security scans customized to diverse applications Increased ROI from trained software security staff Compliance with IP/data within four walls Developer productivity improved All critical and high vulnerablities eliminated Development effort saved with scan reports
Shared
30x faster scanning
On Demand
More secure third-party/outsourced development Rapid implementation and buy-in Staff headcount avoidance
Steady State
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
WHITE PAPER
Fix More Vulnerabilities with Less Effort Companies in both 2010 and 2013 said SSA solutions helped them to not only nd veried vulnerabilities easier, but also x them faster. Slow remediation cycles were common in pre-SSA environmentsoften lasting 23 weekslargely because most defects werent uncovered until late in the development process when remediation can be time-consuming and expensive.1 When vulnerabilities made their way into production, the remediation project increased exponentially in scope, requiring as much as 10 to 100 times the effort to resolve. At this point, developers were often removed from high-value tasks to solve the problem, requiring overtime and adversely impacting software quality.
Streamlined Compliance and Penetration Testing A number of companies in the survey face strict government and industry regulations for application security, particularly organizations in the nancial services and healthcare industries.4 The extra development and auditing effort needed to comply with these standards can be costly, as are the potential penalties for non-compliance. In our study, executives said SSA solutions helped control costs by streamlining regulatory compliance projects, substantially reducing fees paid to outside auditors and security consultants. By conguring the SSA solution to address specic compliance mandates, organizations quickly identied and ranked vulnerabilities according to severity. The solution generates a report that documents these activities, creating an audit trail for regulators. Auditor Compliance Fee Savings
$20K
10X Fixing Effort without Fortify on Demand
Fee Savings
$2K
SSA
By introducing automated SSA technology and best practices, organizations reduced average 10% time from 1 to 2 weeks to 1 to 2 remediation 2 Fixing Effort with Fortify on Demand hours. After adopting SSA solutions, remediation required fewer resourcesfrom 4-5 additional FTEs to virtually zerosaving an estimated $44K annually in remediation costs per application. For the average organization, these cost savings are estimated conservatively at $3M per year.3
Findings SSA reduced manual forensics effort needed to comply with industry audits, saving $100K per year. The average organization adopting SSA saw its fees paid to compliance auditors fall by 89% or about $15K annually.
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
WHITE PAPER
Similarly, after adopting SSA and instituting more rigorous code scanning and remediation processes along with improved developer awareness and educationorganizations found they consistently met quality standards, and thus could plan and focus their penetration testing better and reduce the overall effort required.
Finding The average organization achieved a 50% reduction in penetration testing costs, translating into annual savings of more than $250K.5
ACCELERATING ADOPTION
To gain support from senior leadership, about 90% of the executives said that proving SSAs payback potential was critical. Indeed, the most successful SSA programs employed a set of best practices that helped organizations accelerate adoption and derive more value from their solutions. Combining people, process, and technology, these practices include: People: Drive awareness of SSA by securing support from key stakeholders. Communicate the business value of software security to the board of directors. Set aggressive goals for applications and developer coverage in the first year. Invest in software security education and training. Process: Drive vulnerability-prevention processes deeper into the development organization. Require code scans at strategic checkpoints in the development processsuch as during nightly buildsbefore releasing applications to production. Rapidly integrate software security resources with development teams. Include software security performance as part of developers job appraisals. Urge adoption of SSA practices by application development partners and track their compliance. Technology: Integrate SSA into SDLC automation tools. Connect SSA tools to a bug-tracking database to improve time-to-fix. Integrate SSA solution with audit and compliance tools to accelerate compliance process and maintain audit trails. Systematically prioritize vulnerabilities to focus remediation plans and streamline remediation and penetration-testing activities.
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
WHITE PAPER
Overall Development Productivity Savings The benets of SSA solutions increased over time, companies noted, as developers learned from scanning results and adopted more secure coding practices at the start of new projects. As a result, the number of repeat vulnerabilities and defects found in the software declined, software tests were completed faster, and overall development cycles were shortened.
$536K
$400K $200K 0
Legacy
SSA
Penetration testing was reduced by 50% or more improved awareness, education, quality of code and automated testing reduced pen testing requirements Findings
The percentage of repeat vulnerabilities found in software declined from about 80% to nearly zero. Because developers spent less time finding and xing code aws, companies reduced their total development effort per application by 10% to 40%. Developers used the extra time to enhance existing code and tackle new software projects. These productivity improvements are translating into savings of as much as $5M per year at some companies.
HP Fortify has brought about a fundamental change to remediation actions, from securityoriented to basic coding design and structure.
Global Information Solutions Company
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
WHITE PAPER
Greater Leverage in Business Transactions A number of companies in the study are capturing additional value by deploying SSA programs to gain an edge during negotiations to buy digital assets or sell their own software properties. One company, for example, is using Fortify to perform software security audits of acquisition targets that own valuable software products. The audit results become part of deal negotiations and can trigger price breaks if the targets core applications are found to have signicant vulnerabilities. One company we interviewed in 2013 found that using HP Fortify on Demand made it easier to complete security assessments of targeted rms, helping it save millions in due-diligence labor costs. Not every company will take advantage of this kind of SSA deployment, but for a business depending on M&A activity to grow or innovate, the strategy can yield substantial business returns. Findings For companies pursuing acquisitions, HP Fortify provided an objective method for measuring the security of digital assets, providing leverage during price negotiations. In the case of a company completing two $100M deals a year, using SSA to assess the software assets of prospective acquisitions can yield valuation benets of as much as $10M.8 Organizations reported that easily deployed HP Fortify on Demand helped contain due-diligence costs during asset acquisition deals. One company estimated the value of their savings at $5M per year. For companies divesting software assets, HP Fortify helped create a secure, trusted brand image and provided pricing advantages in large deals.
Supporting Software Development in Distributed and Consumerized Environments The 2013 study found growing use of SSA solutions to improve security for software development operations that are outsourced or spread out geographically. SaaS solutions such as HP Fortify on Demand were seen as a cost-effective alternative for testing the security of software created by teams in widely dispersed locations. Companies in both studies leveraged solutions from HP Fortify to support pay for performance programs that enabled companies to adjust fees paid to outsourcing partners based on the cleanliness of the code delivered. Findings One company used HP Fortify on Demand to reduce its effort to scan and remediate outsourced software code, saving the work of 510 FTEs plus $100K in remediation costs and translating into an estimated $1.3M in labor savings annually. Companies using SSA to screen outsourced code and optimize pricing can capture fee savings of about $100K annually while improving the overall quality of code delivered by development partners.9 With the consumerization of IT growingand with it the popularity of all kinds of consumer-style appsmore companies are using HP Fortify on Demand to easily scan and secure diverse applications.
Fortify brought a new paradigm to software security and helped us mature into a secure IT enterprise. Fortify literally helps us protect the companys reputation in the industry.
Leading U.S. Bank
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
WHITE PAPER
Fortify has saved us millions of dollars by ensuring that applications go to market in time.
North American Telecom Company
10
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
WHITE PAPER
year, when companies had completed the organizational and process changes necessary to integrate SSA into a comprehensive software development life cycle (SDLC) program.
solutions offer substantial efciency and productivity benets that help companies control costs, speed software development, and even boost revenue and asset values. Three years after our initial 2010 study, companies adopting SSA solutions continue to report savings in the millions of dollars from: More efficient and effective vulnerability assessment and remediation. Streamlined regulatory compliance and penetration testing efforts. Fewer security-related delays affecting the launch of new products. More favorable pricing of outsourced code development. Improved valuations of the software assets of merger-and-acquisition targets. Companies in the 2013 study have evolved on several fronts, however. We saw more consistent adoption of software security best practices across companies, allowing for better industry benchmarking. Signicantly, we saw broader interest in and greater adoption of on-demand SSA solutions, which helped companies extend protection to geographically dispersed development operations and enabled easier evaluations of third-party digital assets. By leveraging on-demand software security-as-aservice solutions, companies could further boost the productivity of their development operations and secure additional savings. As a result, the total economic impact of SSA for companies in 2013 increased to just under $50M, about $13M more than SSAs estimated valuegenerating potential in 2010. The growing consumerization of applications is only expected to expand the value and usefulness of cloud-based SSA models in the years ahead. To understand the full potential of Software Security Assurance solutions in your organization, go to www.fortify.com/ssa-basics/overview/index.html. For information on HP Fortify and other products and services from HP Fortify, go to www.fortify.com.
CONCLUSION
During a time of tightening IT budgets, security executives are facing increasing pressure to justify investments even those as critical as software securityfrom a business-value perspective. As this study shows, SSA
Both on-premise and on-demand SSA solutions have their advantages and we need both.
Transportation and Logistics Company
11
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
WHITE PAPER
END NoTes
1 2
Late-cycle methods such as penetration testing, for example, requires signicantly more time to track down defects in the source code. The reduction in remediation time is due to several factors, including SSA capabilities and practices that (1) pinpoint the exact location of a aw in the code lines, (2) prioritize vulnerabilities to focus resources on the most critical aws, and (3) provide guidance on how to correct each vulnerability. Estimate based on a conservative 10 vulnerabilities per application, and 67 critical applications. Mandates and standards commonly impacting application development projects include: the Payment Card Industry Data Security Standards (PCI DSS), the Federal Information Security Management Act (FISMA), Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPPA), and North American Electric Reliability Corporation (NERC) standards. Assumes 50% reduction in penetration testing effort; legacy environment costs are based on an average of 8 penetration tests per year at $67K per test. Estimate assumes a $20B company earning 1.25% of its prot per quarter from new product sales; 50% of product introductions are assumed to benet from SSA efciencies, which help avoid an average of 4 critical vulnerabilities per product and 30 days of delays. Estimate assumes a $20B company incurring new product development costs equal to 3% of revenue; 50% of new products, or $300M in expenses, are assumed to be impacted by SSA efciencies, which help avoid an average of 4 critical vulnerabilities per product and 30 days of delays; the resulting 5% productivity increase saves $15M in development expenses. Estimate assumes an average deal discount of 5% from SSA code analysis. Assumes average fee discounts of 1% applied to annual outsourced development expenditures of $10M. See Top 10 Data Breaches and Blunders of 2009, eSecurity Planet: http://www.esecurityplanet.com/views/article.php/3863556/Top-Ten-Data-Breaches-and-Blunders-of-2009 htm. Assumes that the average company would experience a major data breach once every 10 years. Assumes that an average penalty period would last 6 months. Research indicates that penalties make up only 30% of the full impact of non-compliance (Industry View: Calculating the True Cost of PCI Non-Compliance, Ellen Lebenson, CSO Online). For example, only companies that sell commercial software (or that provide software-enabled products or services) are likely to gain the revenue and cost benets from accelerating new product introductions. Similarly, only companies actively engaged in M&A activities can achieve the valuation benets from SSA-enabled acquisitionvaluation initiatives. In addition, not all of the estimated benets should be understood as hard savings that directly impact the prot and loss statement. For example, benets from avoiding costssuch as a breach remediationmay be considered soft because some organizations may never experience a breach event. 2010 ndings included, for Sample Customer. Assumptions include: $20B customer, 10% new product revenue contribution; 50% rst year margins; 2 month product delay due to vulnerabilities; 500 critical/severe vulnerabilities; $3.8M cost per breach10% probability; $200M in M&A @ 5% valuation benets. 2013: 500 more third-party developers covered (10 FTE effort savings); 1,000 more new apps @ 50K per app; 10% in security effort savings from acquisition of software assets. Please see notes for more details on how 2013 savings were arrived at.
3 4
5 6
8 9
10
11
12 13
14
Assumes a non-compliance period lasting 6 months. Average penalty periods range from 3 to 24 months.
15
16
17
12
Sponsored by:
Mainstay www.mainstaycompany.com 2929 Campus Drive, Suite 150 San Mateo, CA, 94405 p. 650.638.0575 f. 650.638.0578
Research and analysis for this study was conducted by Mainstay, an independent consulting rm that has performed over 300 studies for leading information technology providers including Cisco, Oracle, SAP, Microsoft, Dell, Lexmark, HP, EMC and NetApp. This case study was based on interviews with security executives currently using SSA solutions. Information contained in the publication has been obtained from sources considered reliable, but is not warranted by Mainstay. Copyright 2013 Mainstay.