Study puts a price on software code security assurance management

A recent study by Fortify Software Inc. and Mainstay Partners LLC reveals that having secure code is cheaper than having insecure code, and the numbers prove it.

LONDON -- Secure application software is by definition better than insecure applications, but is it possible to measure the real monetary value of application software code security?

You wouldn't buy an expensive house without having a proper survey, so why would you pay for software without checking it?


Jacob West,
director of security researchFortify Software Inc.

A new study, presented at RSA Conference Europe this week, sets out to measure the real financial benefits of "good" applications -- those with code that is not susceptible to common vulnerabilities like buffer overflows, SQL injection or cross-site scripting.

Sponsored by Fortify Software Inc. and carried out by research company Mainstay Partners LLC, the study examined the experiences of 17 large corporations, all customers of Fortify, as they set about improving the way they managed their software development life cycles (SDLC).

While many of the benefits are obvious -- such as a lower likelihood of application breaches and information theft -- many of the companies were able to assign tangible financial benefits to having some form of software security assurance (SSA) in place.

These benefits are reported in a white paper entitled "Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions."

For many companies, a major advantage of software security assurance management is being able to reduce the amount of time spent doing penetration testing and auditing. The study found that the average company using SSA tools was able to reduce the cost of compliance auditing by 89%,because the tools identified and ranked vulnerabilities according to severity, as well as provided an audit trail that documented any remedial measures the software developers took.

One company, which is regularly involved in merger and acquisition activity, said in the survey that it used SSA tools to assess the quality of software of any company it intended to take over. If the software was poor, it could use that information to negotiate a price reduction.

Others found it a useful tool for driving up the quality of outsourced software development and ensuring they only paid for applications that met their standards.

Jacob West, director of security research for Fortify, said: "You wouldn't buy an expensive house without having a proper survey, so why would you pay for software without checking it?"

He said that many customers had experienced security problems with outsourced software, mainly because the software procurers tend to choose suppliers based on price. "It is a commoditised business and there is no incentive for the outsourcer to write secure code," West said. But once companies can check the quality of code as it is delivered, then vulnerabilities are more likely to be rectified before the company pays the supplier, he said.

However, according to Chris Eng, senior director of security research at Veracode Inc., which offers a cloud-based software testing service, although automated tools can highlight some vulnerabilities in code, and also speed up the overall task of software testing, no one approach will be completely effective.

Speaking at the RSA Conference in London, Eng outlined how different testing approaches were more or less effective in uncovering some of the vulnerabilities listed in the SANS Top 25 Most Dangerous Software Errors.

Static analysis tools, he said, were good at analysing code, but poor at finding deployment problems. By contrast, dynamic analysis could mimic how a hacker might operate, but may miss certain parts of the code. A manual penetration test may also detect some problems that may be missed by both static and dynamic tools, he said.

"You need to incorporate static, dynamic and manual testing," Eng said. "But remember that testing will always have false negatives. There will always be some stuff you miss."

Read more on IT risk management