Information security frameworks
Communicate the business value of application security solutions in a language that matters to the board
by Craig LeGrande & Amir Hartman, Mainstay Partners
The last decade has seen a dramatic shift in the way companies manage information security and protect vital data.
In the past, businesses confronted the threat of cyber attacks and data breaches primarily by building firewalls and other “perimeter defences” around their networks, but the threat has continued to evolve, and more criminals are hacking into applications that are running on a plethora of new devices and environments, including cloud, mobile, and social media.As a result, the focus of threat protection is moving from securing the infrastructure to securing the software applications that businesses write and deploy.
The shift has created a market for a new generation of products and services – known as software security assurance (SSA) solutions – that help companies uncover vulnerabilities in their code, effectively fix these defects, and produce software that is impervious to security threats.In an effort to quantify the business value of SSA, Fortify Software (the leading provider of SSA solutions) commissioned Mainstay Partners to conduct in-depth interviews of 17 global customers – organisations that have implemented SSA, and representing a cross-section of industries. The study found that companies are realising substantial benefits from SSA right out of the box, saving as much as $2.4M per year from a range of efficiency and productivity improvements, including faster, less-costly code scanning and vulnerability remediation and streamlined compliance and penetration testing.
Exponential increases in benefits, however, are being achieved by companies that deploy SSA in more comprehensive and innovative ways. These advanced deployments include embedding software security controls and best practices throughout the development lifecycle, extending SSA programs into critical customer-facing product areas, and leveraging SSA to seize unique value-generating opportunities. For these strategic companies, the benefits of software security solutions can add up to as much as $37M per year.In our interconnected world, software is everywhere – not just in data centres or on desktop computers, but in mobile phones and all kinds of wireless devices and consumer products.
Software resides on the Web and in the cloud, where businesses rely on software-as-a-service solutions (SaaS) for mission-critical business functions. Application security protects the software that is running in all these environments and devices, and the business improvements of SSA are seen as extending to wherever applications are deployed.At a time when IT budgets are coming under closer scrutiny, chief information security officers (CISOs) say they are being called upon to justify SSA investments from a cost benefit perspective.
This article provides the evidence needed for information security executives to communicate the business value of software security solutions in a language that the board can relate to.Faster vulnerability remediation:Across the board, companies adopting SSA solutions report significant efficiency improvements in finding and remediating software security flaws:
By introducing automated SSA technology and best practices, organisations reduced average remediation from 1 to 2 weeks to 1 to 2 hours.Organisations saved an estimated $44K annually in remediation costs per application.For the average organisation, these cost savings are estimated conservatively to amount to $3M per year.Streamline compliance and penetration testing: Companies are facing tighter government and industry regulations for application security, particularly in new software standards in the financial services and health-care industries.By configuring the SSA solution to address specific compliance mandates, for example, organisations quickly identified and ranked vulnerabilities according to severity. The solution also generates a report that documents these activities, creating an audit trail for regulators:The average organisation adopting SSA saw its fees paid to compliance auditors fall by 89% – or about $15K annually.
The average organisation achieved a 50% reduction in penetration testing efforts, translating into annual savings of more than $250K.Avoid data breaches:The threat of a major data breach can keep CISOs awake at night, and most are aware of the history of high-profile security failures that have damaged company reputations and resulted in millions of dollars in legal and PR fees, remediation expenses, lost revenue, and customer churn:The average cost of a data breach is about $3.8M, or $204 per compromised recordCompanies can save an estimated $380K per year by adopting SSA solutions to avoid major data breaches.
Avoid software compliance penalties:Businesses that fail to comply with industry standards for software security can face substantial penalties. In the payment card industry, for example, penalties can range from $5K to $25K per month. Moreover, when lost sales, customer churn, and remediation expenses are also factored in, the full cost of PCI non-compliance can be substantially more:By ensuring compliance through systematic application security testing, companies can conservatively avoid approximately $100K in penalties annually.
Pay-for-performance benefits:In an innovative use of software security technology, companies that outsource software development to partners are leveraging solutions to drive cost-effective “pay for performance” programs:
Companies using SSA to screen and adjust the price of outsourced code can capture fee savings of about $100K annually while improving the overall quality of code delivered by development partners.
Faster product launches boost revenue and margins:For companies that sell e-commerce and other commercial software, discovering security flaws late in the development life cycle can delay new product introductions (NPI) by weeks or months, putting revenue and market share at risk and adding millions of dollars in development costs:
Companies can capture an estimated $8.3M of additional software revenue through a comprehensive SSA program to minimise product delays.Companies can realise development cost savings of about $15M per year from SSA-driven reductions in product delays.Maximise the value of M&A deals:Companies can extend the value of their software security solution by deploying it in strategic ways, i.e. using it to perform software security audits of acquisition targets that own core products critically dependent on software:
In the case of a company completing two $100M deals a year, using SSA to assess the software assets of prospective acquisitions can yield valuation benefits of approximately $10MRealising The Full Potential Of SSA
For companies able to exploit all of the opportunities for value creation, that potential can reach $37M annually. There are three stages that organisations typically go through on the path to SSA maturity:
Explore: These organisations deploy an SSA solution across a small number of applications (10–20) and developer teams as a proof-of-concept initiative.
Accelerate: These organisations are moving beyond “toe-in-the-water” pilot programs and are actively incorporating threat detection and remediation techniques across key development teams and applications.
Optimise: These organisations have embedded software security tools, processes, and training within a formal SDLC program. Many are also leveraging SSA solutions in innovative ways to generate additional business value and create competitive differentiation.
As this article has demonstrated, SSA solutions not only help companies minimise the risk of a successful cyber attack, but also offer substantial efficiency and productivity benefits that help control costs, speed software development cycles, and in some cases even boost revenue and asset values.BOX OUT A : Key FindingsThe full benefit potential of SSA solutions can reach $37M annually.Initial SSA deployments can create $2.4M in annual benefits.Average vulnerability remediation time fell from 1 to 2 weeks to 1 to 2 hours.Repeat vulnerabilities reduced from 80% to virtually zero.
Organisations saved an estimated $44K in remediation costs per application.Companies reducing time-to-market delays saved an estimated $8.3M annually.BOX OUT B : What should organisations look for in a SSA solution?
Not all vendors offer the same functionality and services. When evaluating the options, organisations should look for an SSA value-maximising solution that:
Offers both deep remediation functionality and a breadth of supporting services
Provides support for cross-team collaboration – bringing information security teams, developers, risk officers, and auditors together in a coordinated effort
Seamlessly integrates with existing application life-cycle management (ALM) and development environments, shortening time to remediation
Provides in-depth guidance on how to correct each security vulnerability, thus accelerating remediation further
Offers robust governance capabilities, including the ability to define and communicate security policies and rules across the organisationProvides research on the latest threat trends and techniques, ensuring that teams are aware of all emerging threats
The reduction in remediation time is due to several factors, including SSA capabilities and practices that (1) pinpoint the exact location of a flaw in the code lines, (2) prioritise vulnerabilities to focus resources on the most critical flaws, and (3) provide guidance on how to correct each vulnerability. Estimate based on a conservative 10 vulnerabilities per application, and 67 critical applications.
Mandates and standards commonly impacting application development projects include: the Payment Card Industry Data Security Standards (PCI DSS), the Federal Information Security Management Act (FISMA), Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPPA), and North American Electric Reliability Corporation (NERC) standards.
Assumes 50% reduction in penetration testing effort; legacy environment costs are based on an average of eight penetration tests per year at $67K per test.
(See “Top 10 Data Breaches and Blunders of 2009,” eSecurity Planet: “http://www.esecurityplanet.com/views/article.php/3863556/” http://www.esecurityplanet.com/views/article.php/3863556/ Top-Ten-Data-Breaches-and-Blunders-of-2009.htm.)
Fourth Annual U.S. Cost of Data Breach Study, Ponemon Institute, 2009. Assumes that the average company would experience a major data breach once every 10 years. Assumes that an average penalty period would last six months. Research indicates that penalties make up only 30% of the full impact of non-compliance (“Industry View: Calculating the True Cost of PCI Non-Compliance,” Ellen Lebenson, CSO Online). Assumes a non-compliance period lasting six months. Average penalty periods range from 3 to 24 months. Assumes average fee discounts of 1% applied to annual outsourced development expenditures of $10M.
Estimate assumes a $20B company earning 1.25% of its profit per quarter from new product sales; 50% of product introductions are assumed to benefit from SSA efficiencies, which help avoid an average of four critical vulnerabilities per product and 30 days of delays. Estimate assumes a $20B company incurring new product development costs equal to 3% of revenue; 50% of new products, or $300M in expenses, are assumed to be impacted by SSA efficiencies, which help avoid an average of four critical vulnerabilities per product and 30 days of delays; the resulting 5% productivity increase saves $15M in development expenses.
Sample customer assumptions include: $20B customer, 10% new product revenue contribution; 50% first year margins; two-month product delay due to vulnerabilities; 500 critical/severe vulnerabilities; $3.8M cost per breach @ 10% probability; $200M in M&A @ 5% valuation benefits.