Professional Documents
Culture Documents
Best-in-Class
100%
Incidents Avoided Incidents Not Avoided
Cumulative % of Vulnerabilities
Discovered and Remediated
80%
(last 12 months)
$300K / incident
60%
Laggards
> 130 applications
40%
$400K / year
total cost
20%
of initiative
0%
Implementatio Deployment /
Analysis Design Testing Release
n Support
All Respondents 15.6% 30.8% 44.5% 71.7% 82.2% 100.0%
59%
58%
55%
54%
52%
48%
46%
40%
43%
42%
38%
37%
35%
32%
31%
30%
20%
0%
Source code Source code Source code Secure Software
review analysis and analysis and software security testing
(manual) verification verification development tools
(static) (dynamic) tools
Source: Aberdeen Group, November 2010
Best -in-Class Early Adopt ion Best -in-Class Dif ferent iat ors
modest adoption by the top
in-Class compared to that of Laggards)
The denominator includes the total annual cost for the organization's
application security initiative; also in the denominator, however, are the
total costs from application security incidents that were not avoided in the
last 12 months, in spite of the investments that have been made. In the
numerator are the best estimates for the total costs of application security-
related incidents that were avoided in the last 12 months as a result of the
organization's investments – these may be difficult to come by, and
imprecise at best. For this reason, the most general way to think about this
simple analysis is that any investments in technologies and services that
lower the total cost of the initiative (efficiency) and cause a greater shift
from the denominator to the numerator in terms of incidents avoided
(effectiveness) will have a strongly positive impact on the overall return on
annual investment.
100%
85% Industry Average Secure at the Source
Percentage of Respondents (N=132)
76% 77%
80% 71% 71% 71% 70%
68% 68% 68% 69%
66% 65% 67% 68% 64%
63% 63%
75% 60% 61%
71% 55% 56%
60%
58% 42%
53% 53% 53% 38%
40% 49% 51% 33%
46% 44% 46%
40% 42%
38% 37%
34% 34% 35%
20% 28% 30%
27% 26% 27%
20% 22%
Analysis Design Implementation Testing Release
0%
Source: Aberdeen Group, November 2010
In Figure 7, the current capabilities and practices that were listed in the
simplified version of the Microsoft SDL (see Table 2) are plotted for the 42
organizations currently using the secure at the source strategy for application
security, with the Industry Average from Aberdeen's Securing Your
Applications: Three Ways to Play benchmark study also plotted as a reference.
For example, in the Design phase of the software development lifecycle,
77% of the secure at the source users indicated that functional specifications
accurately and completely describe the intended use of features or function
for their applications, compared to just 53% of the Industry Average. The
high-level takeaway is that the secure at the source users are more consistent
and more mature in their adoption of these secure application development
practices. Readers who are actively evaluating their secure application
development practices may wish to use Table 2 and Figure 7 to make a
careful comparison of the biggest differences, as well as their own current
capabilities, for each of the analysis, design, implementation, testing and release
phases. Aberdeen has also implemented a complimentary interactive
assessment tool based on this data that may help you go more quickly in this
regard.
Table 4: Solutions Landscape for Security and the Software Development Lifecycle (illustrative)
Company Web Site Solution(s)
Armorize www.armorize.com CodeSecure, SmartWAF, HackAlert
Aspect Security www.aspectsecurity.com Implementation, Verification and Management services
Coverity www.coverity.com Static Analysis, Dynamic Analysis, Build Analysis,
Architecture Analysis
Electric Cloud www.electric-cloud.com ElectricCommander, ElectricAccelerator,
ElectricInsight
HP www.fortify.com Fortify 360, Fortify On Demand
www.hp.com DevInspect, QAInspect, Assessment Management
Platform
IBM Rational www-01.ibm.com/software/rational/ AppScan Source, AppScan Build, AppScan Tester
Klocwork www.klocwork.com Insight
QMetry www.qmetry.com QMetry Enterprise
Replay Solutions www.replaysolutions.com Replay DIRECTOR
TOMOS www.reachsimplicity.com TOMOS Application Lifecycle Management
Veracode www.veracode.com Veracode SecurityReview
Source: Aberdeen Group, November 2010
Related Research
Managing Vulnerabilities and Threats: HP Acquires Fortify Software, Strengthens
No, Anti-Virus is Not Enough; December Application Security Assurance; August
2010 2010
Web Application Firewalls: Defend and Web Security in the Cloud; May 2010
Defer; October 2010 IT Security: Balancing Enterprise Risk and
Application Scanning and Penetration Reward; January 2010
Testing: Find and Fix (Later); September The 2009 PCI DSS and Protecting
2010 Cardholder Data Report; November
Securing Your Applications; interactive 2009
assessment tool (complimentary) Application Security; June 2008
Securing Your Applications: Three Ways Aberdeen Group / IT Security Channel;
to Play; August 2010 complimentary webcasts
Author: Derek E. Brink, Vice President and Research Fellow, IT Security
(Derek.Brink@aberdeen.com)
Since 1988, Aberdeen's research has been helping corporations worldwide become Best-in-Class. Having
benchmarked the performance of more than 644,000 companies, Aberdeen is uniquely positioned to provide
organizations with the facts that matter — the facts that enable companies to get ahead and drive results. That's why
our research is relied on by more than 2.2 million readers in over 40 countries, 90% of the Fortune 1,000, and 93% of
the Technology 500.
As a Harte-Hanks Company, Aberdeen plays a key role of putting content in context for the global direct and targeted
marketing company. Aberdeen's analytical and independent view of the "customer optimization" process of Harte-
Hanks (Information – Opportunity – Insight – Engagement – Interaction) extends the client value and accentuates the
strategic role Harte-Hanks brings to the market. For additional information, visit Aberdeen http://www.aberdeen.com
or call (617) 723-7890, or to learn more about Harte-Hanks, call (800) 456-9748 or go to http://www.harte-hanks.com
This document is the result of primary research performed by Aberdeen Group. Aberdeen Group's methodologies
provide for objective fact-based research and represent the best analysis available at the time of publication. Unless
otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group, Inc. and may not be
reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by
Aberdeen Group, Inc. (010110)
© 2010 Aberdeen Group. Telephone: 617 854 5200
www.aberdeen.com Fax: 617 723 7897