Software Security Testing Markets


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Software Security Testing Markets

  1. 1. A Datamonitor report Software Security Testing Markets Ensuring security by design Published: Jul-05 Product Code: DMTC1091 Providing you with: • Examination of the market for software security testing tools and services among the ISV and internal end-user IT departments • Analysis of the key drivers and inhibitors for such solutions and the differences between the effectiveness of the two approaches Use this report to... • Findings of a survey of ISVs that Gain realistic forecasts of the investigates their security testing programs revenues services firms and tool including who draws up policies and their vendors can expect to generate propensity to outsource from the market over the next four years • Identification of the key vendors and services providers in the software security testing marketplace and core areas of focus in the market
  2. 2. Software Security Testing Markets – Ensuring security by design DMTC1091 Introduction Many IT security attacks such as viruses, worms and hacker attacks exploit vulnerabilities within commercially- available software and operating systems. As a result, customers are increasingly putting pressure on ISVs and equipment manufacturers to reduce the number of vulnerabilities within their solutions before they are shipped and introduce a greater degree of security functionality. The strong understanding among end users of the need for greater overall IT security has benefited the security testing market two-fold. Firstly, it has prompted a greater use of tools and services within the organizations as they seek to improve the security of the applications that they build in-house to support their business processes. Secondly, it has led to many putting even greater pressure on the ISV community to produce software products with fewer security flaws – with the threat of taking their business elsewhere ever-present. Key findings and highlights • At the moment, among ISVs particularly, security testing is most commonly part of the overall QA process because the areas are mutually complementary. Indeed, some quality assurance tools are currently being used for security purposes – such as load balancing and strain-test tools being used to simulated denial of service conditions. • As the number of vulnerabilities in a product will ultimately determine the perception of the quality of a solution, it is unsurprising that up to now most product testers have grouped the two areas together. A drawback to this approach is that, by not separating out the two areas, it is possible that not enough attention is given to security. • Certainly security and functionality sometimes conflict and it is important to balance both rather than have one rule out the other. The danger is that by not looking at them in separate lights, security gaps may be missed because the developer is not looking for problems with the right mind-set. Reasons to buy • Gain realistic forecasts of the revenues services firms and tool vendors can expect to generate from the market over the next four years • Obtain an independent view of which vendors and services firms are most likely to meet customer expectations • Know actionable recommendations as to the best approaches to take to increase market share Contact us... From Europe: tel: +44 20 7675 7258 fax: +44 20 7675 7016 email: From Germany: tel: +49 69 9750 3119 fax: +49 69 9750 3320 email: From the US: tel: +1 212 686 7400 fax: +1 212 686 2626 email: From Asia Pacific: tel: +61 2 9006 1526 fax: +61 2 9006 1559 email:
  3. 3. Sample pages from the report Competitive dynamics this area include: Symantec (@Stake), AppLabs, Paladion Networks and Security Innovation. Competitor profile: @Stake (Symantec) When Symantec, best known for its anti-virus solutions, bought @Stake, one of the leading cerebral security consulting services firms, the analyst community held its breath to see whether some of its more hard-core elements such as its software Customer dynamics security code review services would be reduced or discarded. Luckily for the wider community (and indeed for Symantec’s development as a thought-leader in the enterprise security space) Symantec took the decision to continue this practice and, indeed, increasingly adopt such services internally to ensure that the products used internally developed processes to test their software for holes that could designed for security and enterprise systems were themselves not open to attack. compromise the integrity of their software. As a software security testing and penetration testing firm, @Stake feels that its key With only six organizations stating that they used external processes, it would strength is that it looks at security from an application developer's point of view — suggest that in-house testing procedures using internal tools and processes and something it feels is rare in the market. Essentially, because software is developed in external tools is more popular. The large number of people that refused to answer this a number of stages — the so-called ’waterfall model‘, @Stake looks at each stage of question, however, means that such ISVs may in fact use third-party processes but this life-cycle model and has created a set of processes and actions for each stage. do not want to reveal this for internal policy reasons. Market context This model is clearly popular with both the ISV and end-user developer communities, with @Stake serving four out of the top ten ISVs and seven of the top ten financial services institutions. @Stake has also Outsourcing parta popular option because found that training is of the security testing process many developers know that they do not fully understand where potential vulnerabilities can arise. Indeed, @Stake trained over 4,000 developers in 2004. first for these tools to be effective. They also believe that ’naked eye‘ testing will place Figure 15: Is any software security testing outsourced? always be a vital part of the code testing process. Having said that, one services For @Stake, 2005 and 2006 will be big years for this sector, as the strong desire for AppLabs, believes that tools are very important – with AppLabs provider, security leads to action within end-users and ISVs alike. Currently, the focus is very ’productizing‘ a number of open source tools by building processes and a set of Yes much on the services side, because it feels that the tools market is capable people around specific tools. As a result, AppLabs believes that it is not currently 18% underdeveloped. While tools are useful as a basis for a larger testing process, if they always possible to separate the services and tools market from a market sizing are applied specifically then that can become a hindrance, because of high false perspective. positive rates and even false negatives, whereby the solutions miss things altogether. The market for tools is, however, likely to mature over time and as tools tools alone can be dangerous, however. To use them effectively you need Relying on become more effective they will gradually become more popular – as they have knowledge in-house. The best methodology that experts recommend is to to have the decide which vulnerabilities you are looking for and then use the right tools to within the wider quality assurance market. Because @Stake has internally developed a number of tools to help it carry out its service engagements, the opportunity exists them afterwards. AppLabs states that it has no good reason to use determine for launching a commercial product range in the future, as customer needs and commercially available tools when open source tools are available. No demand evolves. 82% Figure 3: The ‘holy trinity’ of software security testing People Source: Datamonitor DATAMONITOR Internal team / new hires Improving software security DMTC1091 Outsourced coders Third-party testing organizations © Datamonitor (Published June 2005) Page 52 Over time, many organizations get to the stage where they fundamentally understand This report is a licensed product and is not to be photocopied have reached the limits of internal development and that they need external that they assistance. This may be because either cost pressures make it impossible to get the right staff or the sheer number of flaws discovered leads ISVs to the conclusion that they are just not getting it right internally. Datamonitor therefore sought to determine The ‘holy whether or not this practice was widespread within the ISV community. trinity’ of software security The results of this question reveal that, overall, outsourcing part of the security testing testing and quality assurance process is not currently commonplace, with only 18% of the Technologies Processes Internally developed tools Internally developed processes Improving software security Open source tools DMTC1091 Standards-based approach © Datamonitor (Published June 2005) Commercially developed tools Page 43 Third-party methodologies Source: Datamonitor This report is a licensed product and is not to be photocopied DATAMONITOR In terms of tools another professional services firm, the Symantec subsidiary @Stake, believes that, as many processes become repeatable, then the use of tools will become more commonplace. Tools are useful for developing a set number of processes but it is dangerous to rely overly on them. Developers doing this can often incur a large number of false positive or may miss flaws completely. @Stake itself has internally developed a number of tools for its own processes and may productize Improving software security DMTC1091 © Datamonitor (Published June 2005) Page 26 This report is a licensed product and is not to be photocopied Request more sample pages...for FREE! From Europe: tel: +44 20 7675 7258 fax: +44 20 7675 7016 email: From Germany: tel: +49 69 9750 3119 fax: +49 69 9750 3320 email: From the US: tel: +1 212 686 7400 fax: +1 212 686 2626 email: From Asia Pacific: tel: +61 2 9006 1526 fax: +61 2 9006 1559 email:
  4. 4. Software Security Testing Markets – Ensuring security by design DMTC1091 Table of contents INTRODUCTION COMPETITIVE DYNAMICS • Traditional application quality testing software MARKET CONTEXT vendors • Introduction - Competitor profile: Segue Software • Key findings • Dedicated security testing tool vendors • Key market drivers - Competitor profile: Kavado • The causes of software security flaws • Systems integrators and accreditation houses • The importance of standards - Competitor profile: SIVenture - Common criteria • Dedicated software security testing services firms - ITSEC - Competitor profile: @Stake (Symantec) • Dealing with upgrades and new releases • Conclusions • Evaluators • Other standards ACTION POINTS • Tools vs services • Introduction • ISVs and internal developers • Action points - Internal developers • Action point one: push customers to treat security • Market sizing testing as a stand-alone activity in the quality • The global market size by type of customer assurance process • Global software security testing product revenues • Action point two: develop a wide, modular portfolio of • Software security testing services revenues different tools and services for each stage of the • Conclusions software development life-cycle • Action point three: software security testing tool CUSTOMER DYNAMICS vendors should develop professional services • Introduction capabilities and vice versa • Key findings • Action point four: for software security testing services - Formal software security testing programs firms, the potential kite-marking benefits of their - Software security testing policy decision-makers solutions should be heavily promoted - Policy information sources • Action point five: software security testing firms should - Key testing focus areas view ISVs as potential gateways to the wider end-user - Security testing as part of the quality assurance developer community process - Security as a separate budgeted activity APPENDIX - Tools and processes used for software security testing TABLES - Outsourcing part of the security testing process Table 1: Global software security testing products and - A shift towards outsourcing? services markets, 2004-2008 ($m) - Software security testing partners Table 2: Global software security testing products and • Conclusions services markets by customer-type, 2004-2008 ($m) “...As CIOs begin to understand the nature of the threats that they face, many are now pointing a finger of blame at the ISV community for leaving the holes that hackers and virus authors exploit in the first place...” Software Security Testing Markets
  5. 5. Table 3: Global software security testing products Figure 17: Who are your specific software security testing markets by customer-type, 2004-2008 ($m) partners? Table 4: Global software security testing services Figure 18: Datamonitor's market expertise and research markets by customer-type, 2004-2008 ($m) and analysis methodology FIGURES Figure 1: Global software security testing products and services markets, 2004-2008 ($m) Figure 2: Common Criteria assurance levels Figure 3: The 'holy trinity' of software security testing Figure 4: Global software security testing products and services markets, 2004-2008 ($m) Figure 5: Global software security testing products and services markets by customer-type, 2004-2008 ($m) Figure 6: Global software security testing products markets by customer-type, 2004-2008 ($m) Figure 7: Global software security testing services markets by customer-type, 2004-2008 ($m) Figure 8: Does your company have a formal software security testing program? Figure 9: Who is responsible for creating the security software testing policy? Figure 10: What information sources did you use to draw up your security testing policy? Figure 11: What are the principal areas of focus for the security program? Figure 12: Is software security testing a part of the standard quality assurance process? Figure 13: Is security testing a separate, budgeted activity? If not, when is this planned? Figure 14: What tools and processes are currently used to eliminate security holes? Figure 15: Is any software security testing outsourced? Figure 16: How will your use of third-party services for software security testing change? “...While anti-virus and firewall solutions can do much to protect organizations from IT security breaches, they can further improve resilience by selecting more stable and secure applications and operating systems to support their business processes...” Software Security Testing Markets
  6. 6. Software Security Testing Markets – Ensuring security by design DMTC1091 Datamonitor: Your total information solution Datamonitor is a premium business information company helping 5,000 of the world's leading companies across the Automotive, Consumer Markets, Energy, Financial Services, Healthcare and Technology sectors. Our products and services are specifically designed to support our clients’ key business processes – from corporate strategy to competitive intelligence. We provide an independent and trustworthy source of data, analysis and forecasts to improve these processes and ultimately, to help grow your business. Corporate Strategy Make more effective strategic & Business Planning and business decisions Quality Data Product Development Accelerate delivery & Commercialization of commercial success HELPING Expert TO GROW Analysis YOUR Targeting & Assess and influence your BUSINESS commercial and market Influencing the Market environment Future Forecasts Market & Maintain or obtain critical Competitive Intelligence competitive advantage No-one speaks louder than our clients ACI Eyretel S1 Corporation Atos Origin France Telecom Samsung Avaya Communications Gemplus SAP Blue Pumpkin Genesys Sega BSKYB Hewlett Packard Setec BT IBM Siemens AG Bull Infogrames Sonera Chello Intel Sony Cisco Intervoice Staffware CMG KPN Mobile Sun Microsystems Computer Associates Manugistics Sungard Convergys Microsoft Telefonica Moviles CSC Financial Services Mitel Telecom Teleperformance Deutsche Telekom NCR Thales Diamond Cluster Nice Systems Thus EDS Oberthur Unisys Ericsson Philips Vivendi 89% of our clients use Datamonitor research to develop competitive intelligence Source: Datamonitor Customer Research
  7. 7. Interested in this topic? Datamonitor's Enterprise Security Strategic Planning Program (SPP) is a tailored, continuous advisory service combining a number of information sources. IT security is growing as a proportion of technology spending as organizations become more aware of the threats to their IT systems. This SPP covers all of the major security products including firewalls, intrusion detection systems, anti-virus tools and public key infrastructure solutions. The SPP also analyzes IT security professional services including consulting, integration, education, training and managed services. Other reports available in this series Security Information Management: Is It Either Software or Managed Security Services? Security information management has become a hot topic over the past 18 months with a number of software and services firms offering a number of different ways of centralizing security monitoring and making sense of the security information overkill Published: Jan-05 Product code: DMTC1080 Evolving Enterprise Security Spending Trends Analyzes enterprise security spending trends Published: Nov-04 Product code: DMTC1015 Email Filtering Services Gauges the rapidly expanding email services market, which has so far been dominated by a number of relatively small, specialist service providers and the likely evolution of the market going forwards Published: Jul-04 Product code: BFTC0962 IT Security in US Higher Education Looks at the main concerns of higher education institutions in the US and where they are spending their security budgets Published: Jul-04 Product code: BFTC1008 For more information on reports and briefs go to: Subscribe to Monitor A monthly update of Datamonitor's new products, delivered to you by email. Email:
  8. 8. Place your order now... Fax back to +44 20 7675 7016 (from Europe) or 212 686 2626 (from the US) I would like to order: Product title Product code Price £ / € / $ / ¥ * __________________________________________________________________ ___________________ __________________ __________________________________________________________________ ___________________ __________________ __________________________________________________________________ ___________________ __________________ __________________________________________________________________ ___________________ __________________ __________________________________________________________________ ___________________ __________________ __________________________________________________________________ ___________________ __________________ __________________________________________________________________ ___________________ __________________ __________________________________________________________________ ___________________ __________________ * Please refer to our website for up-to-date prices Complete your details: Complete payment details: Name Please indicate your preferred currency option: UK£ Euro€ US$ Yen¥ Job Title I enclose a check payable to Datamonitor plc for _________ (+ p+p $30 UK / $60 rest of world) Please invoice my company for _______________________ (+ p+p $30 UK / $60 rest of world) Department Please debit my credit/charge card Company Amex Visa Diners Mastercard Address Card No ______________________________________________________________________ State/Province Expiry Date _________ / _________ Cardholder Signature ___________________________ Cardholder address____________________________________________________________ Post Code/ZIP Please supply purchase order number here if required by your accounts department: Country _____________________________________________________________________________ Email EU companies (except UK) must supply: VAT / BTW / MOMS / MWST / IVA / FPA number: Tel ___________________________________________________________________________________________ Datamonitor products and services are supplied under Datamonitor’s standard terms and conditions, Fax copies of which are available on request. Payment must be received within 28 days of receipt of invoice. Sign below to confirm your order: I do not want to receive future mailings from Datamonitor and its related companies. Occasionally, our client list is made available to other companies for carefully selected mailings. ______________________________________________________________________ Please check here if you do not wish to receive such mailings. DMTC1091WEB From Europe: tel: +44 20 7675 7258 fax: +44 20 7675 7016 email: From Germany: tel: +49 69 9750 3119 fax: +49 69 9750 3320 email: From the US: tel: +1 212 686 7400 fax: +1 212 686 2626 email: From Asia Pacific: tel: +61 2 9006 1526 fax: +61 2 9006 1559 email: Contact us to find out more about our products and services