Application security and software development teams know they need to mature their application security program so they can more proactively identify software security threats and develop secure and compliant software from the very beginning of the software development process.
However, as teams review all of the different tools and solutions available, figuring out which solution will deliver the best value to their organization can be difficult. Executive leaders and procurement teams want quantifiable, objective metrics that demonstrate that the proposed solution will deliver value. However, since this information is typically difficult to obtain, far too often teams are forced to rely on vendor claims and their own gut instincts.
Many application security vendors claim that their solutions can increase application security and software development team productivity, but productivity improvements can be hard to quantify.
To address this challenge, Security Compass commissioned a study conducted by Forrester Consulting to work with our customers to quantify the economic impact of using SD Elements. The study, “The Total Economic Impact™ of Security Compass SD Elements” (April 2022), covers the benefits from improvements in productivity, reduced costs, and fewer vulnerabilities. This post reviews their methodology and findings regarding productivity in the software development process.
Secure Software Development Productivity Challenges
Software development has changed greatly over the past two decades, with significant impacts on application security and software development teams. The adoption of rapid development methodologies like DevOps, Agile, and Continuous Integration – Continuous Delivery (CI-CD) has presented ongoing challenges to organizations. Adapting a toolchain designed for waterfall development processes and quarterly software releases to a process requiring multiple releases each day is not simple.
Adding security requirements early in the development process helps. Security requirements enable organizations to anticipate issues that could result in security vulnerabilities and build risk mitigation tasks into their workflow. However, organizations face several productivity challenges related to managing security requirements.
- Most organizations use manual processes and spreadsheets to create, communicate, and manage security requirements. Creating security requirements requires security teams to review each project’s technical stack, including programming languages, frameworks, and deployment environments, identify each potential weakness, and assign a risk mitigation control for implementation.
- DevSecOps teams struggle to respond quickly to changing customer needs. Each time a significant feature is added, a deployment environment is added, or a new integration is developed, the security requirements change. Manual processes cannot keep up with this velocity of change.
- Overlapping regulatory standards and internal corporate policies are constantly updated and complex to understand. Requirements may change for each application based on industry guidelines and regulatory standards. Tracking and updating requirements for internal and external policies is difficult for a single application. Manual systems are impractical for organizations managing hundreds of applications.
- Manual processes are prone to inconsistency. The risks identified and mitigation controls assigned can differ depending on the skill, experience, and preferences of the person building the requirements.
- Spreadsheets do not integrate well with developers’ tools and are difficult to audit. Developers are likely to miss controls that are line items in a long list. Validating that controls have been implemented properly is difficult.
Quantifying How SD Elements Increases Application Security Team Productivity
Forrester interviewed program owners from four organizations that are using SD Elements for building and managing security requirements and secure coding standards. They aggregated the interviewees’ experiences and combined the results into a single composite organization which has a portfolio of 250 applications across 156 products. Forrester then applied their financial model framework to the composite organization, including benefits, costs, flexibility, and risks, to arrive at estimates for the total economic impact.
Before SD Elements
Interviewees told Forrester that creating security requirements required representatives from security, engineering, and compliance to participate in a variety of formal meetings and information discussions over a period of weeks. The effort required 80 hours of effort per product, or 12,480 hours per year.
After SD Elements
Interviewees reported that SD Elements reduced the time required to generate security requirements to eight hours – a reduction of 90 percent. This translates into a three-year Benefits Present Value of $1,661,466.
How SD Elements Quantifiably Increases Productivity
SD Elements improves productivity by automating and standardizing security requirements generation. Factors cited in the study included:
Automated security requirements. SD Elements reduced the time required to create security requirements by 90 percent. Rather than days of meetings and having to create manual spreadsheets, SD Elements automatically generates security requirements based on a survey of an application’s technology stack. It leverages many decadesof collective experience from Security Compass’s security team. These software security experts continuously research the latest software security threats, security requirements, and regulatory standards from around the world to update requirements and mitigation controls to SD Elements. This saves customers the time required to understand a constantly changing threat space and regulatory environment.
Consistent, approved secure coding controls. The SD Elements content library includes dozens of regulatory standards and best practice frameworks. Instead of requiring security and development managers to identify risk mitigation controls for every project, it translates potential weaknesses into recommended risk mitigation controls with easy-to-follow instructions for development, assurance, and deployment teams. Controls can align with industry standards such as the Cloud Security Alliance and NIST’s Cybersecurity Framework or be customized to accommodate secure coding policies of an individual company or project.
Integrations with development tools already in use. Instead of maintaining and distributing spreadsheets, SD Elements automatically delivers recommended, prioritized, and easy-to-understand developer-friendly security requirements and secure coding guidance to developers within their existing workflow. SD Elements integrates with issue trackers like Jira, Pivotal Tracker, and GitLab.
Control validation. Reporting based on manually updated spreadsheets is time consuming and requires teams to map testing to each item in the spreadsheet. SD Elements automatically validates all controls through integrations with application security testing tools, including static analysis, dynamic analysis, and source composition analysis. This allows teams to have near real-time traceability regarding which controls have been implemented and which remain open.
Compliance evidence. Unlike spreadsheet-based models that are subject to error and lack traceability, SD Elements provides a centralized repository for all activity and full, evidentiary quality auditing for all actions. It automatically creates artifacts to show that implemented controls meet security requirements such as the NIST Cybersecurity Framework, NIST SP 800-53R5, PCI, GDPR, OWASP Top 10, and more.
Determining which application security solution delivers the most value can be challenging. Organizations with limited budgets must look beyond product features and seek solutions that provide economic benefits that surpass costs. The Forrester Total Economic Impact™ study found that organizations switching from manual methods to create security requirements to using SD Elements to manage security requirements realized productivity improvements of 90 percent. In the composite organization with 250 applications this resulted in a 3-year Benefits Present Value of $1,661,466 related to productivity improvements.
It is also important to note that increased productivity was just one of four economic benefits reported by Forrester. Other SD Elements economic benefits found in the study include:
- Reduced costs
- Avoided vulnerability remediation
- Decreased time spent on security certifications.
You can read the complete Forrester Consulting study here. You can also watch a more detailed discussion about the economic impact of SD Elements with Trevor Young, Security Compass Chief Product Officer, and guest speaker Roger Nauth, Forrester Senior TEI Consultant.