Author: Trevor Young, Security Compass Chief Product Officer
In an earlier blog post, we explained why Security Compass commissioned Forrester Consulting to conduct a study on our behalf to quantify the economic impact of using SD Elements.
The study, The Total Economic Impact™ of Security Compass SD Elements (April 2022), covers the benefits of improvements in productivity, reduced costs, and fewer vulnerabilities.
This post will discuss their methodology and findings around cost savings enabled by SD Elements in the software development process.
Secure Software Development Cost Challenges
Security requirements help organizations build more secure software faster. In a traditional manual model, security, engineering,
and compliance work together to anticipate weaknesses in the technical stack and prescribe risk mitigation controls to be implemented during the normal development process.
There are obviously costs associated with a manual process. Senior personnel are required for their design expertise and
knowledge of potential security issues. As noted in a previous post, the Forrester study found that manually creating security
requirements for an application consumes 80 hours for a composite organization.
Forrester cited other costs with manual methods as well:
- In a manual security requirements exercise, information is entered into spreadsheets or shared documents. Teams then need to communicate the requirements and mitigation controls to developers. When the application is updated, the requirements and controls often change. In a rapidly changing DevSecOps environment, a requirements document can quickly become obsolete.
- Security architects require time to analyze new or updated requirements, then update mitigation controls or secure coding guidelines, train security champions on the guidance, and communicate changes to development, security, and operations.
- New regulatory guidelines or requirements like GDPR required extensive time to review. New policies and security requirements need to be created, added to a spreadsheet, and rolled out to each development team.
- Interviewees told Forrester that, without SD Elements, security champions and development teams would have to review any new or updated requirements to understand how they impacted each application.
Quantifying How SD Elements Reduces the Cost of Creating and Maintaining Security Requirements
Forrester interviewed four organizations using SD Elements for building and managing security requirements and secure coding standards. They aggregated the interviewees’ experiences and anonymized the results into a single composite organization with a portfolio of 250 applications across 156 products. Forrester then applied their financial model framework to the composite organization, including benefits, costs, flexibility, and risks, to arrive at estimates for the total economic impact.
Before SD Elements
Without SD Elements, understanding new or updated requirements was labor-intensive. It required extensive,
time-consuming research to create or update spreadsheets, and hours of effort to roll out new or updated requirements and training security champions.
After SD Elements
Interviewees told Forrester that using SD Elements reduced the time required to understand and integrate applicable
requirements by 16 hours on average. This represents a three-year cost savings of $891,225 and a Benefits Present Value
Source: The Total Economic Impact™ of Security Compass SD Elements, a commissioned study conducted by Forrester Consulting on behalf of Security Compass, April 2022
How SD Elements Automation Decreases Costs
SD Elements lowered costs by automating and standardizing security requirements generation. Factors cited in the study included:
More efficient security utilization. SD Elements reduced the time required to identify security controls by 16 hours per
application annually. It automatically identifies systems with the most risk that require human attention, allowing automation
to serve the remaining systems.
Automatically generate security guidance. Instead of days of meetings and manual spreadsheets, SD Elements automatically translates all requirements into actionable risk mitigation controls and easy-to-follow instructions for development, assurance,
and deployment teams.
Rapid, low-touch updates. Quickly understand requirements based on technology stack, industry, and geographic region. When new features, components, or deployment environments are added, SD Elements can quickly update security requirements and risk mitigation controls.
Continuous monitoring of industry and regulatory standards. Security Compass experts monitor regulatory standards and industry guidelines to keep security requirements and controls accurate and up to date. Controls can align with industry standards such as the Cloud Security Alliance and NIST’s Cybersecurity Framework or be customized to accommodate secure coding policies of an individual company or project.
Integrations with development tools. Rather than relying on spreadsheets, SD Elements automatically delivers recommended, prioritized, and easy-to-understand developer-friendly security requirements and secure coding guidance to developers within their existing workflow. SD Elements integrates with issue trackers like Jira, Pivotal Tracker, and GitLab.
Evidence of compliance. Unlike spreadsheet-based models that are subject to error and lack traceability, SD Elements provides a centralized repository for all activity and full, evidentiary quality auditing for all actions. It automatically creates artifacts to show that implemented controls meet security requirements such as NIST Cybersecurity Framework, NIST SP 800-53R5, PCI, GDPR, OWASP Top 10, and more.
When looking to mature an application security program, teams should ask vendors about the return on investment companies can expect from their tools. Security requirements help organizations anticipate and avoid design and implementation weaknesses an attacker could exploit. The Forrester Consulting Total Economic Impact™ study found that the composite organization which manages 250 applications would see a three-year ROI of 332% and a Benefits Present Value of $2.86 million by switching to SD Elements from manual methods to create security requirements. This includes over $700,000 in Benefits Present Value from reduced costs due to automation of manual security requirements tasks.
You can read the complete Forrester Consulting study here. You can also watch a more detailed discussion about the economic impact of SD Elements with Trevor Young, Security Compass Chief Product Officer, and guest speaker Roger Nauth, Forrester Senior TEI Consultant.