Building secure and compliant software can be costly for companies that operate in highly regulated industries such as the financial industry – especially when requirements are addressed late in the software development life cycle (SDLC). One particular company knows just how costly it can be. Due to its size and diversity, the American Multinational Financial Company’s cost of security compliance had escalated into millions of dollars every year.
Challenge: Integrating security requirements early in the SDLC
The company has a robust development community of approximately 3,000 developers in more than 25 countries. But despite having all this manpower, an inordinate amount of time – and money – was being spent on remediating vulnerabilities late in the software development process. Security wasn’t being architected into applications because the security team was unable to define the requirements early in the SDLC. As a result, every application project resulted in a number of vulnerabilities that needed to be identified and remediated. The average development project would have 5 critical and 10 medium vulnerabilities. The cost to resolve these vulnerabilities was a whopping $100,000 – for each application project.
Solution: Automate the identification of security requirements with SD Elements
According to the company’s security manager, "We purchased SD Elements to help accomplish our objectives: to reduce the amount of interim production vulnerabilities, to provide requirements for the development early in the development life cycle, and, overall, to educate our developers in secure coding."
SD Elements is a software security requirements management solution that eliminates high-risk vulnerabilities at the earliest stages of the SDLC – before scanning even begins. It provides prescriptive, secure coding advice based on the project’s application technology, business and compliance drivers.
Users simply answer a simple questionnaire to help model the application’s characteristics, and SD Elements identifies the relevant threats and counter measures that must be addressed during development. Once the application is modeled in SD Elements, developers get continuous updates about new vulnerabilities,compliance standards and countermeasures.
SD Elements allows the company’s 3,000 developers to knowingly architect and code the necessary security controls into applications during the regular course of development rather than spend significant amounts of time and money on remediation after primary development is completed. Because SD Elements can scale to thousands of applications, the company’s security team is able to positively influence software development across the entire organization with minimal change to processes.
Benefits: Hard cost savings and greater efficiency
With the help of SD Elements, the organization was able to significantly reduce the number of vulnerabilities requiring remediation in each of its application projects. Instead of remediating 5 critical and 10 medium vulnerabilities in each application, the team now remediates an average of five medium vulnerabilities. As a result, the cost of remediation dropped from $100,000 to $25,000. The savings of $75,000 per project for 75 major application projects resulted in a savings of more than $5.6 million.
The company also realized savings in terms of labor costs. As security requirements became an integrated part of the SDLC and the security team began to work with development teams to proactively address security needs, the security team’s workload was reduced. Fewer security staff were required to ensure compliance, which saved the organization $714,000 per year and more than $2.1 million over three years. Had the security team continued to reactively address security requirements, the team of 28 professionals would need to be about 50% larger than it is today, according to the security director.
The company has also realized several "soft" benefits, such as overcoming challenges associated with testing when using Agile development practices. The organization runs a program of continuous integration of source code that’s scanned on the build server. This enables the development teams to get almost immediate results about vulnerabilities. "If we hadn’t built this close relationship, agreeing to partner with SD Elements to integrate the requirements, it would have been a far greater challenge than it is today," the security director said.
SD Elements has also made it easier for the global company to adapt to international security compliance requirements. Each nation has its own laws and compliance requirements, some of which vary dramatically. "What we’re able to do with SD is get feedback from local legal teams. We can actually add to the list of project requirements an element that is required for Singapore, for example," the security director said.