How to assess the ROI of your software security program
Software security ROI is difficult to calculate when the goal is to prevent a breach. Learn where to look for ROI in an AppSec program to maximize your investment.
A common statement at security conferences is that if organizations invest in software security, it will pay dividends.
Indeed, “investment” implies a dividend. You put money, time, and effort into something – the bank, a stock, an exercise program, an education – with the hope or expectation that you’ll get more out of it than you put in. It’s a common enough concept to have its own acronym: ROI — return on investment.
But it can be difficult in some cases to measure the return on investment because it’s not always clear exactly what would have happened if you hadn’t made the investment.
This is especially true of software security. There is little debate that organizations that “build security” into their software are much less likely to be hacked by hackers.
But how can you put a dollar amount on something that didn’t happen? Maybe you would have been raped 10 times. Maybe a thousand times. Maybe not at all. There’s no way to know for sure.
That’s why Meera Rao, Senior Director of Product Management at Synopsys Software Integrity Group and Head of Intelligent Orchestration Development at Synopsys, regularly hears something like this from customers: I’ve invested so much in automation, tools, processes and consulting. What did I get for all the time and money I spent?
Focus on the risks avoided
Perhaps the question would be better phrased as, “What did I avoid?” Because while the exact amount of return on investment may be impossible to calculate, the risks of not investing in software security are obvious. Daily headlines tell of the disasters (costly disasters) that hackers can wreak on individuals, organizations, utilities and governments by exploiting software vulnerabilities.
That’s why Rao urges them to focus on the fact that creating more secure software is no more an unwarranted cost center than the physical security of a building. If there are cheaper, faster and more efficient ways to do it, it gives a nice return on investment.
Four Areas to Assess in Software Security ROI
Software security ROI, according to Rao, comes from what she calls “four compartments” (strategy, people, process, and technology) that work together to help development teams build security into software without them. to slow down.
Rao points out that a significant return on investment comes from automated security testing such as static analysiswhich tests code early in the software development lifecycle (SDLC), before code execution and when defects are much easier and cheaper to fix.
“We would show [clients] that for years they found all these flaws at the end of the SDLC when someone did a penetration test or we came in to do a manual code review ourselves,” she said. “I was doing it 12 years ago and it would take four to six weeks.”
Now, testing is done much earlier, when the developer is writing or assembling code. “It reduces your remediation costs. It costs six to seven times more to fix things late than to fix them early,” she said.
Another strategic decision is to configure automated testing tools to only report defects that are critical or directly related to the application being built. “The tools find so many things,” she said. “But do you need to fix them all?” Of course not.”
“Once you automate these tools in your pipeline, you can prioritize all of your defects. You can balance the discovery of defects and, with it, the correction, which can save a lot. »
Another source of ROI in software security is more efficient functioning of development teams through the formation of one or two “security champions” within those teams. That means a full security team…software security group (SSG) – doesn’t need to be directly involved in the development team as much. And it reduces conflict.
“These champions help you reduce triage time,” Rao said. “If SSG is going to sort through all the results, we would have to go three or four times a year to a client, stay there for three or four weeks, sort through all the results and create a baseline. But if you have an embedded developer in each group who is a security champion, that person can do it.
Developers also trust members of their own team more than those of an outside team. “It reduces communication overhead, which brings a return on investment to an organization,” she said.
Implementing “policy as code” can automate rules, quality portals and other policies, and testing.
The first area to automate is security testing tools. “You know the technology, you know the language, you know the framework, so now you’re properly optimizing each pipeline for all of these tools,” Rao said.
Then there are the rules policies. “All the manual decisions we used to make, like you have 10 days to patch critical vulnerabilities or you have to do a penetration test every 90 days, it’s all now automated and built into your pipeline,” she said.
And finally the doors. “All the organizations we talk to have quality doors, and now they are introducing security doors into the pipeline as well. They comply with whatever the organization decides – maybe you don’t want to break the build, you just want to let someone know if a serious vulnerability is discovered.
As an example of using policy as code, Rao cites a financial customer who, when a competitor releases an update or new feature, rushes to produce the same feature so as not to lose customers.
“Whenever we found a critical vulnerability like XSS Where SQL injection into this project, they wanted us to inform them, but they still wanted to go into production. They said they would put additional controls in place, like updating firewall rules,” she said. “So with an automated policy in the pipeline, whenever there was a critical vulnerability, it would send an email notification to the firewall team.”
Rao notes that anyone who listens to his webinars will know that tracking all test results and policy implementation can help make everything more efficient. “Measurements are key,” she said.
“You need to be able to see the trends – are the developers fixing all the issues earlier so that we have fewer and fewer vulnerabilities, or not?” she says.
If the metrics show trend lines going in the wrong direction, “then you adjust. You fail quickly, you go back and tweak. Maybe you had too many rules in the static analysis,” he said. she declared.
It is important, however, to use metrics selectively. Too much to refine in too many directions, as well as too many test tool notifications, can overwhelm developers.
“We used to give developers a dump of all those metrics, but now, even though we still give them any issues we find, it’s not all at once,” she said. .
“If one metric is in a PDF, another in Jira, and a third in SonarQube, you need someone to come in every month to gather all the metrics to present to your C-level executives,” he said. she declared.
“At first it will take you some time to decide what your dashboard should look like, but then you can measure and refine. Maybe you find the same things you found in the beginning, which would mean you might need to do a lot of training.
Rao notes that although setting up this kind of metrics analysis can take a long time to start – up to 60 hours for a module – a maturity action plan (MAP) can reduce this drastically. “It can take two to three weeks to create a map and run a pilot,” she said.
“But once you complete that pilot and we know the languages, the tools, the technology, and everything else, the deployment only takes two to three hours per application. You see a 900% improvement in static analysis efficiency. You see a 400% efficiency improvement in dynamic analysis,” Rao said.
Get the most out of your software security investment
Overall, ROI comes from “faster feedback, making sure you’re able to measure, making sure they can remediate faster, and then bringing all those manual decisions, making making sure your process is well defined,” she said.
Of course, you’ll probably never know how much money and headaches you’ve saved by preventing cyberattacks.
But seriously, you don’t want to know.