Cyber security has emerged as a top priority for enterprises worldwide, but are automated software security assurance (SSA) solutions worth the investment? In this updated study of enterprise companies across multiple industries,
SSA solutions from HP Fortify were shown to generate millions of dollars in cost savings, revenue enhancement, and risk reduction. What’s more, companies found they could accelerate benefits using Fortify on Demand, a Security-as-a-Service solution that helped them ramp up faster, fix vulnerabilities sooner, and generate savings in days.
08448380779 Call Girls In Civil Lines Women Seeking Men
Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
1. Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
WHITE PAPER
WHITE PAPER
Does Application Security Pay?
Measuring the Business Impact of
Software Security Assurance Solutions
2013 Update
1
2. Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
WHITE PAPER
Executive Summary
Cyber security has emerged as a
top priority for enterprises worldwide, but are automated software
security assurance (SSA) solutions
worth the investment? In this
updated study of enterprise
companies across multiple industries, SSA solutions from HP Fortify
were shown to generate millions of
dollars in cost savings, revenue
enhancement, and risk reduction.
What’s more, companies found
they could accelerate benefits
using Fortify on Demand, a
Security-as-a-Service solution
that helped them ramp up faster,
fix vulnerabilities sooner, and
generate savings in days.
We are witnessing a profound shift in how businesses and organizations manage
information security and protect against cyber attacks. Traditional perimeter defenses —
including firewalls, network IPS, APT solutions, and NGFWs — are no longer good enough.
While those solutions help protect network infrastructures, chief information security
officers (CISOs) know they also need to secure the software applications they write and
deploy. The shift has created a need for comprehensive software security products and
services — known as software security assurance (SSA) solutions — that help companies
uncover vulnerabilities in their application code, fix defects quickly and effectively, and
produce software that is impervious to attacks wherever they operate. In this way,
CISOs build in a layer of defense to protect what has become a primary attack vector
for cybercriminals: the software applications themselves.
In 2010, Mainstay investigated the business value of SSA solutions, studying 17
organizations that had deployed solutions from HP Fortify, a leading provider of SSA
solutions. Our study found substantial benefits from adopting application security
programs, with companies saving as much as $2.4 million per year from efficiency
and productivity improvements, including more effective vulnerability detection and
remediation, and streamlined compliance and penetration testing.
Mainstay revisited the SSA market in 2013, surveying more than a dozen companies
across a similar cross-section of industries. The new study combined insights from
executive interviews, industry research, and benchmark analysis to measure the range
of benefits that organizations are seeing from their SSA investments.
2013 Study Findings
In the new study, we discovered a market for SSA that is growing and maturing at a
rapid pace — and yielding greater benefits than three years ago. Key findings include:
Table of Contents
Executive Summary
2
Key Findings: Cost and
Productivity Savings
4
Key Findings: Strategic and
Growth Benefits
8
Key Findings: Risk Mitigation
10
Benefit Summary: Unlocking
the Potential of SSA
10
Conclusion 11
Appendix: Research Interviews
12
End Notes
12
2
• Continued Significant Cost Savings. Companies in the new survey reported
millions of dollars in cost savings and operational savings from adopting SSA
solutions, exceeding the average savings reported in 2010 for most organizations.
Specifically, SSA solutions enabled organizations to uncover vulnerabilities quicker,
fix defects 20 to 100 times faster, and massively lower the costs of compliance and
penetration testing. The result: Organizations saw their development effort shrink
by as much as 40%, while developer productivity nearly doubled on average. The
combination of test and remediation cost savings and development productivity
improvements are generating benefits estimated at $8M per year.
• Expanded Revenue Potential. More companies are now embedding software
security controls and best practices throughout the development lifecycle and
leveraging SSA to protect and maximize revenue streams. With SSA, organizations
virtually eliminated delays due to software security issues and significantly accelerated new product introductions. Our finding: Companies in some industries can capture
an estimated $8M in additional revenue and save $15M in development costs.
2
3. Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
Executive Summary (continued)
• Faster Time to Value with On Demand Solutions. The 2013 survey found significantly more companies
adopting Security-as-a-Service (SaaS) testing solutions such as HP Fortify on Demand (FoD). Cloud-based
software security services appealed to companies that wanted to test their software quickly and affordably, avoid the burden of installing and managing SSA applications, and minimize the need for in-house
software security expertise. The solution’s test-anywhere flexibility also attracted companies with global
development operations and extensive outsourcing partnerships. Specifically, the study found that
companies using HP Fortify on Demand were able to ramp up software security programs faster and
then find and fix critical vulnerabilities earlier, leading to faster realization of benefits.
• Increasing SSA Innovation. Software security programs have become a significant market differentiator
for companies that compete in information-intensive industries or that provide software-enabled solutions
to customers. While in 2010 we found a few early innovators that were using SSA solutions to stand out
in their industries, 40% of organizations surveyed in 2013 saw SSA as a core strategy in advancing their
market competitiveness. Creative strategies included using SSA to gain leverage in business deals —
specifically by setting optimal asset prices based on security assessments — and to improve workproduct quality from partners by using SSA to continuously enforce security standards.
WHITE PAPER
The study found that
software security
programs delivered
more than $8M in
annual cost avoidance
and savings on average.
For some organizations
in information- and
software-intensive
industries, benefits
could reach as much
as $50M annually.
• Greater Overall Economic Value Potential. For companies that deploy SSA in comprehensive and
innovative ways, Mainstay calculated that software security programs can generate as much as $50M
in annual benefits, at least $13M more than the value potential of companies in 2010.
At a time when IT budgets are coming under closer scrutiny, CISOs are being called upon to justify SSA
investments from a cost-benefit perspective. For CISOs, the thrust of this study is clear: Software security
solutions are providing substantial operational and strategic benefits for companies across a range of
industries and generating cost savings and revenue-enhancing benefits that more than offset the cost of the
initial investment. And for companies that want faster payback, on-demand SSA solutions are an effective
way to get started with an application security program with minimal upfront costs.
Performance Metric
Improvement
Vulnerabilities per application
From 100s to 10s
Average time to fix a vulnerability
From 1 to 2 weeks to 1 to 2 hours
Percentage of repeat vulnerabilities
From 80% to 0%
Compliance and penetration testing effort
From ~$500k to ~$250k
Time-to-market delays due to vulnerabilities
From 4+ incidents (30 days each) per year to none
3
4. Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
Key Findings:
COST AND PRODUCTIVITY SAVINGS
Companies adopting SSA solutions reported benefits
beyond just risk mitigation. In fact, for the average
company in the study, HP Fortify drove annual operational expense (OPEX) savings amounting to millions of
dollars per year.
Faster Scans
Without exception, companies said they preferred
automated software security solutions to manual
code-scanning procedures. Manual routines were not
only slower, but also narrower in focus and less thorough.
By speeding the scanning process — often by a factor of
20 to 30 — these companies could extend their security
checks to cover more lines of code and reach a broader
number of applications.
Of the solutions they evaluated, companies found that
HP Fortify offered the fastest scanning performance —
in minutes or hours versus days — largely because of
flexible capabilities such as partial scans that allowed
faster diagnosis of specific components of an application.
WHITE PAPER
Finding Critical Vulnerabilities Faster
Organizations typically uncovered thousands of exploitable vulnerabilities through initial code scans using SSA
solutions such as HP Fortify. The discovery spurred them
to repair these defects in short order and then introduce
SSA-supported programs to produce cleaner code in the
first place. The executives surveyed said HP Fortify
excelled at uncovering “critical and high” types of
vulnerabilities that put companies at greatest risk.
Fortify Provided Better Coverage of Critical and
High Vulnerabilities
Unknown
critical
and high
vulnerabilities
Critical
and high
vulnerabilities
uncovered
All
critical and high
vulnerabilities
eliminated
Critical and high
vulnerabilities
before Fortify
Critical and high
vulnerabilities
after Fortify
Vulnerabilities
after prolonged
usage of Fortify
Fortify Improved Scanning Speed
Findings
• SSA solutions uncovered 10 to 100 times more
vulnerabilities than were previously known.
20–30X
Before Fortify
60 minutes per
1,000 lines of code
• In contrast to other SSA solutions, HP Fortify
uncovered more verified “critical and high”
vulnerabilities.
Credit Card Company
Cuts Risk
Facing tough industry
regulations around
software security, a
leading credit card
company turned to
HP Fortify to rapidly
scan 100% of its
high-risk applications
for vulnerabilities.
The move came after
the company ran into
difficulties with an
alternative solution
that required complex
compiling and code
preparation. Fortify
offered faster scanning
of static code and
greater flexibility, and
the solution dovetailed
with the financial
company’s strong risk
management model.
Fortify is now expected
to help differentiate
the company in
the marketplace.
After Fortify
2–3 minutes per
1,000 lines of code
Findings
• Companies reduced the time required to scan
1,000 lines of code from 60 minutes using
manual methods to just 2–3 minutes using
HP Fortify.
• Advanced capabilities, such as partial scanning
in HP Fortify, enabled companies to accelerate
vulnerability testing by 2–10x compared to
alternative approaches.
4
5. Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
WHITE PAPER
ON-DEMAND SOFTWARE SECURITY: A FLEXIBLE, AFFORDABLE OPTION
Most Vulnerabilities Addressed
• On-Premise: allows fine-tuning daily
• On-Demand: achieve steady state sooner
3
Steady State
Unknown
vulnerabilities
Setup Complete
HP Fortify on Demand appealed to companies that
wanted fast implementations and time to value,
with the study finding that companies uncovered the
most critical and high-risk vulnerabilities faster and
saw benefits earlier — within a week on average —
using on-demand solutions. As shown in the
adjacent figure, companies using on-demand solutions got over the “vulnerability hump” faster than
those with equivalent on-premise SSA solutions.
On Demand Accelerates Time to Value
Getting Over the ‘Vulnerability Hump’ Faster
On Demand
In our 2013 survey of the SSA adopters, more
companies were moving — or evaluating a
switch — to cloud-based Security-as-a-Service
(SaaS) solutions, specifically HP Fortify on Demand.
Using this automated on-demand service, organizations upload their application source code or
provide a URL for testing. HP Fortify on Demand
conducts static and/or dynamic tests, verifies the
results, and presents findings in a web-based report.
Critical/high
vulnerabilities
Known
vulnerabilities
1
Ramp-up Time
• On-Premise: 1–6 months 2
•
• On-Demand: 1–2 weeks
•
PreFortify
Critical/High
Ramp-up timeVulnerabilities Addressed
• On-Premise: 1–12+ months
• On-Demand: 2–8+ weeks
With
Fortify
Fortify Impact
Because users can upload code from anywhere, on-demand SSA was the preferred approach for organizations with geographically
spread-out development operations or for firms that outsourced code development to global partners. Greater flexibility in working with
third parties also made on-demand solutions ideal for evaluating digital assets during due-diligence and price-negotiation phases of a
business acquisition. However on-premise SSA solutions continued to make sense for organizations that wanted greater customizability
and control over their security programs. The figure below shows a comparison of the two approaches.
Comparing On Demand with On-Premise SSA Solutions
On Premise
Shared
30x faster
scanning
More regular deeper
security scans
Security scans
customized to diverse
applications
All critical and
high vulnerablities
eliminated
Compliance with IP/data
within four walls
Developer
productivity
improved
More secure
third-party/outsourced
development
Rapid implementation
and buy-in
Development effort
saved with scan
reports
Increased ROI from
trained software
security staff
On Demand
Staff headcount
avoidance
Analysis and guidance
from security experts
5
6. Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
WHITE PAPER
Fix More Vulnerabilities with Less Effort
Streamlined Compliance and Penetration Testing
Companies in both 2010 and 2013 said SSA solutions
helped them to not only find verified vulnerabilities easier,
but also fix them faster. Slow remediation cycles were
common in pre-SSA environments — often lasting 2–3
weeks — largely because most defects weren’t uncovered
until late in the development process when remediation
can be time-consuming and expensive.1 When vulnerabilities made their way into production, the remediation
project increased exponentially in scope, requiring as
much as 10 to 100 times the effort to resolve. At this
point, developers were often removed from high-value
tasks to solve the problem, requiring overtime and
adversely impacting software quality.
A number of companies in the survey face strict
government and industry regulations for application
security, particularly organizations in the financial
services and healthcare industries.4 The extra development and auditing effort needed to comply with these
standards can be costly, as are the potential penalties
for non-compliance.
10x Faster Remediation of Verified Vulnerabilities
with Fortify on Demand
Fixing Effort with Fortify on Demand
In our study, executives said SSA solutions helped
control costs by streamlining regulatory compliance
projects, substantially reducing fees paid to outside
auditors and security consultants. By configuring the
SSA solution to address specific compliance mandates,
organizations quickly identified and ranked vulnerabilities according to severity. The solution generates a
report that documents these activities, creating an
audit trail for regulators.
Auditor Compliance Fee Savings
$20K
Fixing Effort without Fortify on Demand
Fee Savings
10X
• After adopting SSA solutions, remediation required
fewer resources — from 4-5 additional FTEs to
virtually zero — saving an estimated $44K
annually in remediation costs per application.
• For the average organization, these cost savings
are estimated conservatively at $3M per year.3
6
$15K
89%
reduction
$10K
$5K
Fixing
Findings Effort without Fortify on Demand
• By introducing automated SSA technology and
best practices, organizations reduced average
10%
remediation time from 1 to 2 weeks to 1 to 2
Fixing Effort with Fortify on Demand
hours.2
$17.5K
0
$2K
Legacy
Canadian Government
Agency Saves $100K
with On-Demand SSA
With its widely
distributed software
development organization, this agency
needed a convenient
and affordable way to
secure its sensitive
applications. Standardizing on HP Fortify on
Demand was the best
option in this situation,
helping the agency
eliminate software
vulnerabilities without
hurting developer
productivity. In fact,
the agency estimates
it’s saving more than
$100K per year using
HP Fortify on Demand
when compared to
manual forensic
methods.
SSA
Findings
• SSA reduced manual forensics effort needed
to comply with industry audits, saving $100K
per year.
• The average organization adopting SSA saw its
fees paid to compliance auditors fall by 89% —
or about $15K annually.
6
7. Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
Similarly, after adopting SSA and instituting more
rigorous code scanning and remediation processes —
along with improved developer awareness and education — organizations found they consistently met quality
standards, and thus could plan and focus their penetration testing better and reduce the overall effort required.
WHITE PAPER
Finding
• The average organization achieved a 50%
reduction in penetration testing costs, translating
into annual savings of more than $250K.5
ACCELERATING ADOPTION
To gain support from senior leadership, about 90% of the executives said that proving SSA’s payback
potential was critical. Indeed, the most successful SSA programs employed a set of best practices that
helped organizations accelerate adoption and derive more value from their solutions. Combining people,
process, and technology, these practices include:
People: Drive awareness of SSA by securing support from key stakeholders.
“Fortify gave us a
48-fold increase
in our ability to
scan applications.”
– Global Consumer
Foods Giant
• Communicate the business value of software security to the board of directors.
• Set aggressive goals for applications and developer coverage in the first year.
• Invest in software security education and training.
Process: Drive vulnerability-prevention processes deeper into the development organization.
• Require code scans at strategic checkpoints in the development process — such as during nightly
builds — before releasing applications to production.
• Rapidly integrate software security resources with development teams.
• Include software security performance as part of developers’ job appraisals.
• Urge adoption of SSA practices by application development partners and track their compliance.
Technology: Integrate SSA into SDLC automation tools.
• Connect SSA tools to a bug-tracking database to improve time-to-fix.
• Integrate SSA solution with audit and compliance tools to accelerate compliance process and maintain
audit trails.
• Systematically prioritize vulnerabilities to focus remediation plans and streamline remediation and
penetration-testing activities.
7
8. Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
Overall Development Productivity Savings
The benefits of SSA solutions increased over time,
companies noted, as developers learned from scanning
results and adopted more secure coding practices at
the start of new projects. As a result, the number of
repeat vulnerabilities and defects found in the software
declined, software tests were completed faster, and
overall development cycles were shortened.
Fee Savings
Penetration Testing Savings
Penetration Testing Costs
$600K
$536K
$400K
50% reduction
in penetration
testing effort
$268K
$200K
0
Legacy
SSA
Penetration testing was reduced by 50% or more—
improved awareness, education, quality of code and
automated testing reduced pen testing requirements
Findings
Source: Mainstay Partners
• The percentage of repeat vulnerabilities found in
software declined from about 80% to nearly zero.
• Because developers spent less time finding and
fixing code flaws, companies reduced their total
development effort per application by 10% to 40%.
• Developers used the extra time to enhance
existing code and tackle new software projects.
• These productivity improvements are translating
into savings of as much as $5M per year at
some companies.
KEY FINDINGS:
STRATEGIC AND GROWTH BENEFITS
Faster Time To Market
For companies that sell e-commerce and other commercial software, discovering security flaws late in the
development life cycle can delay new product introductions (NPI) by weeks or months, putting revenue and
market share at risk and adding millions of dollars in
development costs. One software company in the 2010
study reported 3 to 5 product delays a year as a result of
security defects that surfaced close to launch. In 2013,
one company reported missing a launch date due to
application security issues, cutting into product sales
as a result. Today, executives at this company say that
security-driven production delays have been virtually
eliminated, thanks to a more secure development
lifecycle.
Another company interviewed in 2013 missed a
stringent release date when it discovered application
vulnerabilities late in the development lifecycle, which
triggered penalties under a contract agreement.
By embedding SSA tools, training, and best practices in
their product development process, these companies
were able to minimize security-driven delays and speed
product launches. Fewer product delays also helped
control development costs at these companies, allowing
them to deploy more resources to code development
rather than remediation.
Findings
• Companies experienced fewer security-related
product delays; previously, security vulnerabilities
discovered late in the development cycle could
delay launches by 3–4 months in some cases.
WHITE PAPER
Global Information
Solutions Company
Secures Its Future
To implement
consistent software
security standards
across several
continents, this IT
solutions company
replaced its legacy
code-scanning tool
with HP Fortify on
Demand. Since the
switch, the company
increased scanning
speed and is finding
and fixing more issues
than ever before.
Today, the company
uses security checks
to evaluate and
approve partner deals
and safeguard the
company’s reputation.
“HP Fortify has brought
about a fundamental
change to remediation
actions, from securityoriented to basic
• Companies can capture an estimated $8.3M of
additional software revenue through a comprehensive SSA program to minimize product delays.6
coding design and
• Companies can realize development cost savings
of about $15M per year from SSA-driven
reductions in product delays.7
– Global Information
Solutions Company
structure.”
8
9. Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
Greater Leverage in Business Transactions
A number of companies in the study are capturing
additional value by deploying SSA programs to gain
an edge during negotiations to buy digital assets or
sell their own software properties. One company, for
example, is using Fortify to perform software security
audits of acquisition targets that own valuable software
products. The audit results become part of deal
negotiations and can trigger price breaks if the
target’s core applications are found to have significant
vulnerabilities.
One company we interviewed in 2013 found that using
HP Fortify on Demand made it easier to complete
security assessments of targeted firms, helping it
save millions in due-diligence labor costs. Not every
company will take advantage of this kind of SSA
deployment, but for a business depending on M&A
activity to grow or innovate, the strategy can yield
substantial business returns.
Findings
Supporting Software Development in Distributed and
Consumerized Environments
The 2013 study found growing use of SSA solutions to
improve security for software development operations
that are outsourced or spread out geographically.
SaaS solutions such as HP Fortify on Deman d were seen
as a cost-effective alternative for testing the security of
software created
by teams in widely dispersed locations.
Companies in both studies leveraged solutions from HP
Fortify to support “pay for performance” programs that
enabled companies to adjust fees paid to outsourcing
partners based on the “cleanliness” of the code
delivered.
Findings
• One company used HP Fortify on Demand to reduce
its effort to scan and remediate outsourced
software code, saving the work of 5–10 FTEs plus
$100K in remediation costs and translating into
an estimated $1.3M in labor savings annually.
• For companies pursuing acquisitions, HP Fortify
provided an objective method for measuring the
security of digital assets, providing leverage
during price negotiations.
• Companies using SSA to screen outsourced code
and optimize pricing can capture fee savings of
about $100K annually while improving the overall
quality of code delivered by development partners.9
• In the case of a company completing two $100M
deals a year, using SSA to assess the software
assets of prospective acquisitions can yield
valuation benefits of as much as $10M.8
• With the consumerization of IT growing — and with
it the popularity of all kinds of consumer-style
apps — more companies are using HP Fortify
on Demand to easily scan and secure diverse
applications.
• Organizations reported that easily deployed HP
Fortify on Demand helped contain due-diligence
costs during asset acquisition deals. One company
estimated the value of their savings at $5M
per year.
• For companies divesting software assets, HP Fortify
helped create a secure, trusted brand image and
provided pricing advantages in large deals.
WHITE PAPER
North American Telecom Company Speeds
Product Launches
Although this telecom
had a well-defined
software security
strategy, it needed
a robust solution to
make it operational.
Enter HP Fortify, which
enabled the company
to scan code 30 times
faster and uncover
10 times more
vulnerabilities. Most
critical issues have
been eliminated and
early fixes are helping
the company save
millions of dollars
by avoiding product
launch delays.
“Fortify brought a new
paradigm to software
security and helped
us mature into a
secure IT enterprise.
Fortify literally helps
us protect the
company’s reputation
in the industry.”
– Leading U.S. Bank
9
10. Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
KEY FINDINGS: RISK MITIGATION
Avoiding Costs and Damages From Data Breach
WHITE PAPER
BENEFIT SUMMARY: UNLOCKING THE POTENTIAL
OF SSA
Minimizing the risk of data breaches and security
failures is a top priority for CISOs. The damages caused
by intrusions can be wide ranging and costly, leading
to millions of dollars in legal and PR fees, remediation
expenses, lost revenue, and customer churn.10
Security executives interviewed in the current study
saw SSA solutions as one of the most effective tools
for controlling this risk.
Every company adopting SSA is different, and so are the
benefits they realize. As shown in the figure below, for
those organizations capable of exploiting every opportunity for value creation, the potential can reach nearly
$50M per year — an increase of $13M over our 2010
estimate. Still, the benefits accruing to a particular
company will vary according to its business profile,
including its size, industry, and business strategy.15
Findings
To estimate the benefits for an individual company, we
recommend upfront research to establish key benchmarks for that organization. These would include the
number of applications developed or tested per year,
current time-to-fix cycles, and current developer costs,
among other metrics. An accurate benefit estimate will
also include a time component. For example, while most
of the companies in the study captured benefits within
the first year of SSA deployment, many of the more
significant benefits weren’t realized until the second
• The average cost of a data breach is about
$5.4M, or $188 per compromised record.11
• Companies can save an estimated $540K per
year by adopting SSA solutions to avoid major
data breaches.12
Avoiding Non-Compliance Penalties
Companies in regulated industries can face significant
fines when security gaps are discovered in their systems
and software — and even more when organizations fail
to resolve these vulnerabilities in a timely manner. In the
payment card industry, for instance, penalties can range
from $5K to as much $25K per month. When you also
factor in lost sales, customer churn, and remediation
expenses, the full cost of PCI non-compliance can be
substantially more.13
Finding
• By ensuring compliance through systematic
software security testing, companies can avoid
approximately $100K in penalties annually.14
“Fortify has saved us
millions of dollars
by ensuring that
applications go to
market in time.”
– North American
Telecom Company
Total Annual Economic Value Potential for SSA16
Vulnerability Remediation
Cost Savings
Compliance and
Penetration Test Savings
Distributed Development
Savings (On Demand)
$3M
$0.3M
$1.3M
Development
Productivity Savings
Application Outsourcing
Pay for Performance
$5.0M
$0.1M
NPI Time-to-Market
Cost Savings
$15.0M
$8.3M
NPI Revenue Impact
Breach Cost Avoidance
Compliance Penalty
Cost Avoidance
$0.5M
$0.1M
M&A Valuation Benefits
Software Asset Acquisition
Security Effort Savings
$10.0M
$5.0M
Total Impact
$49.0M
10
11. Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
year, when companies had completed the organizational
and process changes necessary to integrate SSA into a
comprehensive software development life cycle (SDLC)
program.
solutions offer substantial efficiency and productivity
benefits that help companies control costs, speed
software development, and even boost revenue and
asset values.
CONCLUSION
Three years after our initial 2010 study, companies
adopting SSA solutions continue to report savings in
the millions of dollars from:
During a time of tightening IT budgets, security executives
are facing increasing pressure to justify investments —
even those as critical as software security — from a
business-value perspective. As this study shows, SSA
WHAT TO LOOK FOR IN A
SOFTWARE SECURITY SOLUTION
• More efficient and effective vulnerability assessment
and remediation.
• Streamlined regulatory compliance and penetration
testing efforts.
• Fewer security-related delays affecting the launch
of new products.
Mainstay’s review of 30 software security
providers found that not all vendors offer the same
functionality and services. When evaluating the
options, organizations should look for an SSA
value-maximizing solution that:
• More favorable pricing of outsourced code
development.
• Offers both extensive remediation functionality
and supporting services.
Companies in the 2013 study have evolved on several
fronts, however. We saw more consistent adoption of
software security best practices across companies,
allowing for better industry benchmarking. Significantly,
we saw broader interest in and greater adoption of
on-demand SSA solutions, which helped companies
extend protection to geographically dispersed development operations and enabled easier evaluations of
third-party digital assets.
• Provides support for cross-team collaboration —
bringing information security teams, developers, risk officers, and auditors together in a
coordinated effort.
• Seamlessly integrates with existing application
life-cycle management (ALM) and development
environments, shortening time to remediation.
• Provides in-depth guidance on how to correct
each security vulnerability, thus accelerating
remediation further.
• Offers robust governance capabilities,
including the ability to define and communicate security policies and rules across the
organization.
• Provides research on the latest threat trends
and techniques, ensuring that teams are
aware of all emerging threats.
• Provides static and dynamic testing
capabilities and expertise.
• Comprehensively addresses all types of
software — mobile, client, web — across
all enterprise technology stacks.
• Improved valuations of the software assets of
merger-and-acquisition targets.
By leveraging on-demand software security-as-aservice solutions, companies could further boost the
productivity of their development operations and secure
additional savings. As a result, the total economic impact
of SSA for companies in 2013 increased to just under
$50M, about $13M more than SSA’s estimated valuegenerating potential in 2010. The growing consumerization of applications is only expected to expand the
value and usefulness of cloud-based SSA models
in the years ahead.
WHITE PAPER
North American Telecom Company Speeds
Product Launches
Although this telecom
had a well-defined
software security
strategy, it needed
a robust solution to
make it operational.
Enter HP Fortify, which
enabled the company
to scan code 30 times
faster and uncover
10 times more
vulnerabilities. Most
critical issues have
been eliminated and
early fixes are helping
the company save
millions of dollars
by avoiding product
launch delays.
“Both on-premise
and on-demand
SSA solutions have
their advantages
and we need both.”
– Transportation and
Logistics Company
To understand the full potential of Software Security
Assurance solutions in your organization, go to
www.fortify.com/ssa-basics/overview/index.html.
For information on HP Fortify and other products and
services from HP Fortify, go to www.fortify.com.
11
12. Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions
WHITE PAPER
APPENDIX: RESEARCH INTERVIEWS
To more clearly understand the economics of software security, Mainstay conducted more than a dozen interviews with information security
leaders, including chief information security officers (CISOs) and information security managers and directors. Seventeen private- and publicsector organizations were studied in 2010, and an additional nine in 2013, spanning a cross-section of industries and geographic regions.
• Industries studied: financial services, high technology, transportation, services, healthcare, agriculture, and telecommunications
• Regions: North America, Europe, Asia Pacific
• Company size: $1–5B (30%), $5–25B (29%), >$25B (41%)
The interviews addressed various aspects of software security objectives, strategies, and implementation, along with the specific benefits of
Fortify solutions. Data gathered from these in-depth interviews formed the basis for the business value estimates presented in the study.
END notes
1
Late-cycle methods such as penetration testing, for example, requires significantly more time to track down defects in the source code.
2
The reduction in remediation time is due to several factors, including SSA capabilities and practices that (1) pinpoint the exact location of a flaw in the code lines,
(2) prioritize vulnerabilities to focus resources on the most critical flaws, and (3) provide guidance on how to correct each vulnerability.
3
Estimate based on a conservative 10 vulnerabilities per application, and 67 critical applications.
4
Mandates and standards commonly impacting application development projects include: the Payment Card Industry Data Security Standards (PCI DSS), the Federal
Information Security Management Act (FISMA), Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPPA), and North American Electric
Reliability Corporation (NERC) standards.
5
Assumes 50% reduction in penetration testing effort; legacy environment costs are based on an average of 8 penetration tests per year at $67K per test.
6
Estimate assumes a $20B company earning 1.25% of its profit per quarter from new product sales; 50% of product introductions are assumed to benefit from SSA
efficiencies, which help avoid an average of 4 critical vulnerabilities per product and 30 days of delays.
7
Estimate assumes a $20B company incurring new product development costs equal to 3% of revenue; 50% of new products, or $300M in expenses, are assumed to
be impacted by SSA efficiencies, which help avoid an average of 4 critical vulnerabilities per product and 30 days of delays; the resulting 5% productivity increase
saves $15M in development expenses.
8
Estimate assumes an average deal discount of 5% from SSA code analysis.
9
Assumes average fee discounts of 1% applied to annual outsourced development expenditures of $10M.
See “Top 10 Data Breaches and Blunders of 2009,” eSecurity Planet: http://www.esecurityplanet.com/views/article.php/3863556/Top-Ten-Data-Breaches-and-Blunders-of-2009 htm.
10
Ponemon Institute, 2013.
11
Assumes that the average company would experience a major data breach once every 10 years.
12
Assumes that an average penalty period would last 6 months. Research indicates that penalties make up only 30% of the full impact of non-compliance (“Industry View:
Calculating the True Cost of PCI Non-Compliance,” Ellen Lebenson, CSO Online).
13
Assumes a non-compliance period lasting 6 months. Average penalty periods range from 3 to 24 months.
14
For example, only companies that sell commercial software (or that provide software-enabled products or services) are likely to gain the revenue and cost benefits from
accelerating new product introductions. Similarly, only companies actively engaged in M&A activities can achieve the valuation benefits from SSA-enabled acquisitionvaluation initiatives. In addition, not all of the estimated benefits should be understood as “hard savings” that directly impact the profit and loss statement. For example,
benefits from avoiding costs — such as a breach remediation — may be considered “soft” because some organizations may never experience a breach event.
15
2010 findings included, for Sample Customer. Assumptions include: $20B customer, 10% new product revenue contribution; 50% first year margins; 2 month product
delay due to vulnerabilities; 500 critical/severe vulnerabilities; $3.8M cost per breach — 10% probability; $200M in M&A @ 5% valuation benefits.
16
2013: 500 more third-party developers covered (10 FTE effort savings); 1,000 more new apps @ 50K per app; 10% in security effort savings from acquisition of
software assets. Please see notes for more details on how 2013 savings were arrived at.
17
12