Mainstay, profile picture
Uploaded byMainstay
565 views

Fortify Continuous Delivery

This document discusses how continuous delivery of software is putting pressure on security teams to keep up with frequent releases. It describes how leading companies are using Fortify's application security solutions to scan more applications faster, better prioritize issues, and integrate security testing throughout development. By shifting security left to earlier phases, these companies find and fix vulnerabilities sooner, reducing remediation time and allowing for faster software delivery cycles to support business needs. The document surveys software security operations at several large financial, energy, and technology companies to evaluate how Fortify helps with scan setup, performance, triaging, remediation, and scalability.

Embed presentation

Download to read offline
Continuous Delivery of Business Value with Fortify Mainstay Customer Evidence Research WHITE PAPER
Continuous Delivery of Business Value with Fortify WHITE PAPER 22 MEETING THE SECURITY DEMANDS OF DIGITAL TRANSFORMATION Today every business is becoming a software business. Even traditional brick-and-mortar industries are facing the necessity of software-driven “digital transformation” to stay relevant and competitive in their markets. Industrial icon GE, for instance, is developing software that harnesses data from sensors inside wind turbines to squeeze more electricity from existing wind farms.Automakers embed tens of millions of lines of code into their increasingly “smart” and “connected” vehicles.1 As software becomes core to every business — and as cloud-based software services surge in popularity — companies are developing and updating applications faster than ever before. Welcome to the new era of continuous software delivery. Continuous delivery means development teams are releasing software with new features and functionalities in increasingly shorter cycles, from every year or quarter to every month, week, or day. The approach is now woven into the DevOps environments of leading enterprises like Microsoft, Google and Facebook, which typically issue major software releases every week across their web sites, followed by daily bug fixes over the rest of the week. Forrester Research predicts that organizations will go from four application releases per year in 2010 to as many as 120 releases per year by 2020, a 30x increase.2 SECURITY TEAMS UNDER PRESSURE With the market moving to an agile, continuous delivery model, development and security teams within organizations are scrambling to keep up with the sheer number of applications and releases, which is putting pressure on a key part of the development lifecycle: software security assurance (SSA). Simply put, organizations cannot afford for security testing and remediation to slow the pace of software delivery. This challenge is complicated by several trends: • The proliferation of SaaS and mobile devices, which requires even more testing of applications for security flaws. • Many enterprises maintain hybrid environments with a mix of legacy and COTS applica- tions and varying release cycles, thus increasing the complexity of security programs. • Developers increasingly utilize downloaded code from open-source software (OSS) repositories such as Maven and GitHub, many of which are known to contain vulnerabilities. Organizations generally have been slow to respond to the challenge, in part because most of them are still using outmoded security testing tools and practices. These tools lack automated features that could enable organizations to tackle greater volumes of code and scans in less time. Often these tools cover only part of the security-testing process, a handful of specific languages, or limited deployment options, forcing organizations to switch between multiple tools during the development cycle, hurting productivity.3 A NEW ERA IN SOFTWARE SECURITY Continuous delivery of applications has become the new normal for soft- ware development organizations across every industry. Software development teams are now expected to deliver new releases and updates at a dizzying pace, putting tremendous pressure on software security teams to keep up. In this report, we detail how development organizations at leading companies are using software security solutions from Fortify to scan more applications faster, focus and streamline reme- diation efforts with better triaging, and integrate security assurance methods throughout the software development environment. No longer a production bottleneck, security teams can now support increasingly ambitious release schedules, ensuring faster time to market and freeing developers to focus on creating better software.
Continuous Delivery of Business Value with Fortify WHITE PAPER 3 In fact, industry analysts estimate that even though 90% of companies are engaged in application development —  and 99% agree it’s an opportunity to increase enterprise security — only 20% are doing anything about it. Gartner estimates that fewer than 20% of enterprise security architects have systematically incorporated information security into their DevOps initiatives. Fewer still have achieved the singular degree of security automation required to qualify as Secure DevOps. SHIFTING TO THE ‘LEFT’ Until recently, organizations have focused security testing and remediation efforts primarily on the later phases of the software development lifecycle. However, this is precisely when the cost of remediation is most expensive and time consuming. In addition, as tight product-launch deadlines shrink remediation windows, the probability increases that applications will be released into production with known or unknown vulnerabilities. Poor scalability of current toolsets also dictate relatively fewer scans, cutting into productivity as the number of applications and releases continues to grow. All of this represents a reactive approach to security assurance that increases the risk of project delays, compro- mises application security, and ultimately prevents organizations from scaling to meet the demands of continuous delivery. By contrast, leading organizations we researched are taking a more agile and proactive approach — one that emphasizes earlier, more frequent testing with feedback loops designed to produce progressively cleaner code. In effect, these organizations are shifting security testing operations to the “left,” thus reducing the number of vulnerabilities introduced during the coding phase, as shown below. According to a recent study, organizations that make this move end up spending 55% less time remediating security issues.5 THE EVOLUTION OF SOFTWARE SECURITY ASSURANCE Mainstay conducted initial research on the economic impact of Fortify’s appli- cation security solutions in 2010, a time when the biggest challenges facing IT and application security teams was simply finding software vulnerabilities, and finding them earlier enough to make remedi- ation easier.4 In 2013, Mainstay re-surveyed leading organizations and concluded they were still largely focused on finding and fixing as many vulnerabilities as possible, and many were choosing cloud services to extend these capabilities to third-party developers. Our latest survey found an evolving market for soft- ware security solutions, with organizations demanding greater speed and scalability to meet more ambitious release cadences. Beyond just finding every potential vulnerability, organiza- tions now want better triaging to quickly focus on and remediate flaws that pose the most serious risk to the business. Laggards Test Later and Less Frequently Leaders Deploy Software Security Throughout the Software Development Cycle • Reactive • Likelihood of discovering more vulnerabilities than available capacity to triage or remediate • Difficulty in remediating • High risk of application delays • Incompatible with frequent development releases Requirements Design Code Reviews Security Testing Penetration Testing Vulnerability Scanning Coding Integration ProductionQA Code Reviews Scope of Software Security Scans Need to “Shift Left” • Proactive • Vulnerabilities are discovered early • Easier to remediate • The number of iterations that occur across the SDLC improves time to production • The time required to fix an issue is less as you shift left, driving shorter time to production Requirements Design Code Reviews Static Code Analysis Dynamic Code Analysis Real-time Security Testing Software Security Requirements Analysis Threat Modeling Security Architecture Design Reviews Security Testing Penetration Testing Vulnerability Scanning Coding Integration ProductionQA Scope of Software Security Scans with Fortify “Shift Left” Creates the Environment to Support Frequent Releases as Well as Faster Delivery
Continuous Delivery of Business Value with Fortify WHITE PAPER 4 SURVEY OF SOFTWARE SECURITY OPERATIONS AT LEADING COMPANIES To understand how leading enterprises are coping with the demands of continuous software delivery, market analyst Mainstay conducted in-depth interviews with application security leaders from a diverse set of companies that adopted products and services from Fortify. Mainstay supplemented these interviews with an online survey to develop an even broader portrait of the challenges that software development and security departments face in today’s fast-paced environment. Among the companies participating in the software security survey were: • One of the world’s largest financial services holding companies. • Two of the world’s largest multinational oil and gas companies • Global peer-to-peer lending and online trading platform company • A provider of online investing services for institutions • One of the world’s largest banks with operations in over 50 countries The survey looked at five critical aspects in the software security assurance process and evaluated how the adoption of Fortify impacted each one: • Scan Setup. Ease and speed in setting up scans; how well security tools and processes are integrated with development environment • Scan Performance. Speed of scans and the number of vulnerabilities found • Triaging. How effectively vulnerabilities are prioritized and the number of false positives identified; ability to prioritize by criticality; impact of Fortify on Mean Time to Triage (MTTT) • Remediation. Number of vulnerabilities requiring fixing; remediation efficiency and speed; reduction in repeat vulnerabilities; impact of Fortify on Mean Time to Remediate (MTTR) • Scalability. Our study also looked at how organizations are deploying Fortify to flexibly scale their security processes to scan and remediate significantly more applications in less time. Metrics include the quantity of apps scanned, scan cycles performed, and developer issues avoided at the source during coding. The following sections discuss the results of the survey. • Ease • Speed • Readiness/integration with development environments • Speed • Number of vulnerabilities identified • Number of vulnerabilities to fix • Speed of fixing • Prioritize by address critical vulnerabilities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding • Speed • Number of false positives identified • Prioritizing by criticality Setting Up Scans Performing Scans Triaging Remediating Process Scalability /integration opment nts • Speed • Number of vulnerabilities identified • Number of vulnerabilities to fix • Speed of fixing • Prioritize by address critical vulnerabilities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding • Speed • Number of false positives identified • Prioritizing by criticality p Scans Performing Scans Triaging Remediating Process Scalability of lities • Number of vulnerabilities to fix • Speed of fixing • Prioritize by address critical vulnerabilities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding • Speed • Number of false positives identified • Prioritizing by criticality ng Scans Triaging Remediating Process Scalability • Number of vulnerabilities to fix • Speed of fixing • Prioritize by address critical vulnerabilities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding of false s identified ng by y ing Remediating Process Scalability of lities to fix fixing by critical lities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding ating Process Scalability WHY FORTIFY Of the companies surveyed, 54% said that Fortify was their first choice for application security software before later deciding to implement Fortify. Their top three reasons for choosing Fortify were: • Solution flexibility • Greater coverage of different programming languages and third-party code • Better ability to find and fix vulnerabilities
Continuous Delivery of Business Value with Fortify WHITE PAPER 5 KEY FINDING: FORTIFY PROVIDES FASTER, MORE EFFECTIVE SOFTWARE SECURITY ASSURANCE Faster Scan Setups In a continuous delivery environment, development teams must move quickly to plan and execute security scans. However, given the wide variety of programming languages and code components commonly found in a modern development environment, it can be a slow process to assemble the right security tools — and the right people and expertise — for the job. Before moving to Fortify, fewer than half of the organizations in our survey could accommodate the requirements of fast-release cycles (weekly). The Fortify platform provided coverage and integration across a broad range of development environments and languages, eliminating the need for multiple point tools and the experts necessary to operate them. On average, companies replaced about 10 tools with a single Fortify solution. This allowed organizations to streamline their software security environment, reduce complexity and improve operational efficiencies. Customers believed this offers the potential to lower the overall cost involved in software security licenses and maintenance. LESS TIME SCANNING, MORE TIME ENHANCING APPS Scanning within an integrated development environment (IDE) can take several hours and add 25% or more to development overhead. To speed the process, one Fortify customer created a centralized Hadoop repository where developers can upload code and run scans in minutes. As a result, developers avoid getting bogged down by administrative and security tasks and now have more time to focus on improving the software. The customer considers this to be a huge competitive advantage in an increasingly software- driven world. Fewer Security Tools Needed Before Fortify After Fortify $17.5K $5K $10K $15K $20K $2K 89% reduction FeeSavings 10Customers replaced 10 different point tools with Fortify, saving on integration and set-up efforts. 1 Number of Software Security Tools Faster Setups Allows More Frequent Releases Before Fortify After FortifySurvey Finding: Organizations were able to increase their ability to do weekly, monthly or quarterly releases with the same amount of resources. Percentage of companies that could support monthly or weekly release cadences 35% 100% Increasing adoption of agile environments is driving the demand for tighter process integration across the develop- ment lifecycle. Organizations that moved to the Fortify environment — which provides tools and plugins to simplify integration with existing development environments —  could create fast, automated processes for uploading code, running scans, and incorporating security checks into each phase of the development cycle. In fact, the survey found that the percentage of customers who could improve their release frequencies — from annual or quarterly to monthly, weekly, or even daily releases — increased significantly. Whereas only 35% of the respondents could do monthly or weekly releases before adopting Fortify, nearly all respondents said they could handle accelerate release schedules after adopting Fortify’s speed-enhancing rules engines, templates, and triaging technologies.
Continuous Delivery of Business Value with Fortify WHITE PAPER 6 More Efficient Scanning Most companies focus on combatting the top 10 common critical vulnerabilities that impact their organization (or application security landscape). For the companies surveyed in 2017, these included cross-site scripting (XSS), SQL injection, broken authentication, cross-site request forgery, and security misconfigurations. More than half of survey respondents reported that Fortify was particularly effective in finding these high-risk vulnerabilities early in the development lifecycle, when they can be remediated more easily and cheaply.6 Tools such as Fortify Security Assistant, for example, enabled developers to identify vulnerabilities in real time while they are writing code. Overall, companies using Fortify Static Code Analyzer found they could uncover tens of thousands of previously unidentified vulnerabilities. In addition, respondents said they could run the scans in a significantly shorter amount of time — from several days to just a few hours or even minutes — freeing developers to focus more time on what they do best: writing high-quality code and not waiting for scans. 6 Twice as Many True Vulnerabilities Found… Before Fortify After Fortify $17.5K 0 $5K $10K $15K $20K $2K 89% reduction SSA FeeSavings Customers reported that the number of legitimate vulnera- bilities found with Fortify was double that of other software vendors. Number of True Vulnerabilities Found 2X …With Significantly Faster Scans Before Fortify After Fortify $17.5K 0 $5K $10K $15K $20K $2K 89% reduction SSA FeeSavings Customers reported that scanning with Fortify was 10–15 times faster than with other software vendors. Speed of Scans 10–15X WHAT TYPES OF VULNERABILITIES MATTER? In our survey, most customers were concerned not just with common vulnerabilities like cross-site scripting and SQL injections, but were also worried about data breaches and the consequences that ensued, which most rated as one of their top security concerns.
Continuous Delivery of Business Value with Fortify WHITE PAPER 7 Better Triaging, Fewer False Positives Survey participants were attracted to Fortify’s unique ability to dig through large sets of vulnerabilities, identify those vulnerabilities that are meaningful to the organization, and quickly separate false positives and low-risk issues from serious flaws, significantly reducing mean time to triage (MTT). Many of the companies augmented their triaging routines by factoring in the latest industry intelligence and trends, and by connecting static and dynamic analyses. Several companies regularly tapped experts from Fortify to design and execute these time-saving triaging protocols. One leading data-analytics company, for example, routinely uploads code to Fortify on Demand to scan, then conducts a joint review and triaging session with the technical account manager before starting remediation. Before Fortify After Fortify $17.5K 0 $5K $10K $15K $20K $2K 89% reduction SSA FeeSavings Customers reported that the number of false positives were reduced by up to 95% with Fortify on Demand managed services offering. Reduction in False Positives 95% Fewer False Positives Improved Remediation Efforts Survey respondents repeatedly stressed the importance of finding vulnerabilities early in the development lifecycle, noting that it took nearly 100-times more effort to remediate security flaws if they’re found after software has gone into production versus during the coding process.Vulnerabilities found during quality assurance testing is less expensive to remediate but still takes about 10-times more effort and time to fix compared to the coding phase. On average organizations reported they could complete triaging and remediation tasks about 10-times faster with Fortify — from 20 days per application to just one to two days.Again, the time saved could be redirected to enhancing the software in ways that made it more appealing to end users. Before Fortify After Fortify Customers reported that, with Fortify, they are able to speed up the triaging and remediation process. 20 days per app to triage and remediate 1–2 days per app to triage and remediate 10x Faster Triaging and Remediation Faster Remediation FALSE POSITIVES CAN SLOW YOU DOWN A leading financial institution reported that scans for a large application could uncover as many as 50,000 vulnerabilities, of which 60% could consist of time-wasting false positives, flaws the organization did not deem important, or vulnerabilities that could be sorted into groups for more efficient remediation. Using Fortify’s software and managed services, the institution avoided false positives and leveraged insights that improved triaging and remediation, reducing workloads significantly. Noted one IT executive: “The only way to scale is by eliminating false positives.”
Continuous Delivery of Business Value with Fortify WHITE PAPER 8 KEY FINDING: FORTIFY’S SCALABILITY DRIVES CONTINUOUS DELIVERY As the number of applications continues to grow, organizations need to scale their software security programs to avoid delays in delivering releases and updates. Companies in the survey consistently identified a set of obstacles to achieving process scalability. These included: • Disparate point solutions • Manual processes/lack of automation • Poor identification of vulnerabilities • Large amount of false positives • Lack of access to security expertise When organizations combined Fortify solutions with its managed services offering, they could transform software security assurance into a fully scalable and repeatable process capable of managing the increasing operational demands of enterprise-level development organizations.8 What does true scalability look like? Before adopting Fortify, one customer in the survey could complete about 30–50 scans per quarter, covering about 25 applications. Since implementing Fortify, it can complete 300 scans covering 75 applications — a 30X increase in speed and capacity. Before Fortify After Fortify Customers reported that the number of false positives were reduced by up to 95% with Fortify and managed services support. 30–50 scans covering 25 apps 300 scans covering 75 apps 30X More Scanning, More Apps Before Fortify After Fortify Customers reported seeing a 40% reduction in repeat vulnerabilities, thus creating high-quality and secured applications. 40% Reduction in Vulnerabilities Fewer Repeat Vulnerabilities Before Fortify After Fortify Survey Finding: Fortify customers expect to double the number of applications scanned in the future. 2X X Scaling Up for the Future
Continuous Delivery of Business Value with Fortify WHITE PAPER 9 KEY FINDING: FORTIFY ENABLES FASTER TIME TO MARKET When organizations used Fortify to accelerate and improve the quality of their software security testing and remediation, they significantly reduced the length of their software development lifecycles, helping teams throughout the organization meet rapid-release deadlines. As illustrated below, before adopting Fortify, organizations faced longer testing timelines — the result of less- frequent and later-cycle scanning and remediation efforts. Respondents reported that late-cycle security “surprises” could easily threaten market launches. With Fortify, organizations can scan code, find and fix vulnerabilities in frequent iterations starting early in the lifecycle, and leverage advanced triaging techniques to shrink cycles even further.The result: A greater number of relevant vulnerabilities are uncovered and remediated earlier, and tail-end surprises are minimized. Furthermore, repeat vulnerabilities are progressively reduced because developers learn to code more securely, resulting in cleaner and more secure code in each future cycle. NumberofVulnerabilitiesFound Time Time Scalability and Time to Market Acceleration 30X More 2X More Vulnerabilities Found More Vulnerabilities Remediated 10X Faster 10–15X Faster Scans 95% Fewer False Positives Effort Peaks High Risk Rare Release Events “Waterfall Methodology” Smoother Effort Less Risk Frequent Release Events “Agile Methodology” Without Fortify With Fortify Faster Time to Market with Fortify KEY FINDING: FORTIFY IMPROVES MANAGEMENT OF EXTENDED DEVELOPMENT ECOSYSTEMS Managing Third-Party Developers Many organizations today supplement their in-house developers with third-party coding contractors. Operationalizing the software security process to include these external teams, however, can be a complex challenge for development organizations. Several of the companies we studied are using Fortify on Demand to extend security testing and quality control to third party developers. Some have created innovative “pay for performance” programs that enabled companies to adjust fees paid to outsourcing partners based on the “cleanliness” of the code delivered. The result: improved product quality and better value for the money spent on outside vendors.
Continuous Delivery of Business Value with Fortify WHITE PAPER 10 Simplify and reduce SSA set-up time Scan faster Find more vulnerabilities Triage and audit faster Reduce number of false positives Reduce remediation effort Avoid repeat vulnerabilties 10 point tools 1 to 3 weeks per app Thousands per app 1 to 2 weeks per app 1,000 to 50,000 per app 3 to 4 weeks Repeat vulnerabilities common Single end-to-end tool A few hours to 1 day At least 2X more true vulnerabilities found 1 to 2 days 10s to 100s, 95% reduction 1 to 2 weeks Repeat vulnerabilities reduced by 40% Before FortifyBenefits After Fortify Scalability 30 to 50 scans covering 25 apps per quarter 300 scans covering 75 apps per quarter Summary of Operational Improvements from Fortify EMPOWERING CONTINUOUS DELIVERY Mainstay’s previous research identified Fortify as one of the leaders in helping organizations find more vulnerabilities, and doing so earlier in the software development lifecycle. The current survey clearly confirmed this earlier conclusion — with customers reporting they found twice as many relevant vulnerabilities with Fortify compared to competing solutions. However, in this survey, organizations pointed to additional benefits that were equally, if not more, critical to success. These included Fortify’s ability to produce fewer false positives, and its ability to provide rich insights and correlations to efficiently remediate the remaining valid vulnerabilities. Together these capabilities are giving organizations the means to support their expanding development environments and significantly faster release cadences. BENEFIT SUMMARY The figure below summarizes the range of benefits that organizations can achieve by adopting Fortify. In addition to the operational improvements, many of the organizations found that Fortify enabled them to: • Accelerate application time to market • Reduce disaster recovery and data breach costs • Get better value for services from third-party development vendors TEAMING WITH FORTIFY FOR GREATER ASSURANCE To realize the full potential of their SSA programs, organizations augmented their Fortify solutions with managed services and resources from Fortify’s professional services team. These include best practices, metrics, and templates designed to ensure a predictable and measurable software security process.
Continuous Delivery of Business Value with Fortify WHITE PAPER 11 THE WAY FORWARD For companies that leverage software to compete, the ability to rapidly develop and update applications has become a strategic necessity. Application development teams are addressing this demand for continuous software delivery by moving from annual and quarterly releases to monthly, weekly and even daily releases. For software security teams, this translates into a set of challenges beyond just uncovering as many vulnerabilities as possible, as early as possible. To sustain fast-paced continuous delivery environments and ever-growing volumes of applications, security teams will need to introduce more automation and achieve even greater levels of operational efficiency. In this survey of leading companies, we found that Fortify is changing the game for development and security teams. Using Fortify’s end-to-end application security solutions, organizations can test application code and remediate vulnerabilities faster and more effectively than ever before. Driving the speed and performance boost is a new generation of triaging tools and technologies that virtually eliminate false-positives and isolate valid vulnerabilities for swift remediation. Going forward, release cadences will only get faster, forcing IT to condense development cycles even more. It is a trend that will compel greater numbers of organizations to adopt next-generation security assurance technologies that can scale exponentially and ensure continuous delivery as the business’s reliance on software grows. In this new era, Fortify will continue to innovate and help organizations keep pace with high-performance application security solutions and services. For more information about Fortify, visit fortify.com. ENDNOTES 1 When automotive manufacturer Tesla discovers an issue with its cars, it delivers the software directly to the owner via a download the owner initiates in the car, saving Tesla millions of dollars. Traditional automobiles, by contrast, require expensive physical recalls when an engineering or manufacturing issue is discovered. 2 “Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013. 3 The average development organization uses as many as 10 security testing and remediation tools. 4 This current survey builds on earlier studies of the business impact of Fortify solutions. See:“Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions,” Mainstay, 2010 (updated 2013). http://h30528.www3.hp.com/Security/Fortify_Mainstay_ROI_Study.pdf 5 “Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013. 6 A leading bank reported that a scan for a large application could throw up as much as 50,000 vulnerabilities. 7 Fortify’s more than 50,000 pre-defined rules across several programming languages contributed to finding more vulnerabilities, companies said. 8 A typical Fortify on Demand environment can comprise about 400 developers and 75 applications built using Java (80%), .NET (12%) and Mobile (8%). 9 “Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013.
Sponsored by: Research and analysis for this study was conducted by Mainstay, an independent consulting firm that has performed over 300 studies for leading information technology providers including Cisco, Oracle, SAP, Microsoft, Dell, Lexmark, HP, EMC and NetApp. This case study was based on interviews with security executives currently using SSA solutions. Information contained in the publication has been obtained from sources considered reliable, but is not warranted by Mainstay. Copyright © 2017 Mainstay. Mainstay www.mainstaycompany.com 2929 Campus Drive, Suite 150 San Mateo, CA, 94405 p. 650.638.0575 f. 650.638.0578

More Related Content

PPTX
Accelerating Innovation with Software Supply Chain Management
bySonatype
 
PDF
Hewlett-Packard Enterprise- State of Security Operations 2015
byKim Jensen
 
PDF
The State of Open Source Vulnerabilities Management
byWhiteSource
 
PDF
Website Security Statistics Report 2013
byBee_Ware
 
PDF
ultimate-guide-to-getting-started-with-appsec-veracode
bySean Varga
 
PDF
Ultimate_Guide_to_getting_started_with_AppSec
byJessica Lavery Pozerski
 
PPTX
Intelligence on the Intractable Problem of Software Security
byTyler Shields
 
PDF
Secunia Vulnerability Review 2014
byKim Jensen
 
Accelerating Innovation with Software Supply Chain Management
bySonatype
 
Hewlett-Packard Enterprise- State of Security Operations 2015
byKim Jensen
 
The State of Open Source Vulnerabilities Management
byWhiteSource
 
Website Security Statistics Report 2013
byBee_Ware
 
ultimate-guide-to-getting-started-with-appsec-veracode
bySean Varga
 
Ultimate_Guide_to_getting_started_with_AppSec
byJessica Lavery Pozerski
 
Intelligence on the Intractable Problem of Software Security
byTyler Shields
 
Secunia Vulnerability Review 2014
byKim Jensen
 

What's hot

PDF
The Forrester Wave™: Enterprise Mobile Management Q3 2014
bySymantec
 
PDF
Security & DevOps - What We Have Here Is a Failure to Communicate!
byDevOps.com
 
PDF
Revolution in Mobility
byMichael Clifford, CPP
 
PPTX
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
byBlack Duck by Synopsys
 
PDF
5 things about os sharon webinar final
byDevOps.com
 
PDF
10 Steps To Secure Agile Development
byCheckmarx
 
PDF
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
byCognizant
 
PDF
WhiteHat’s 12th Website Security Statistics [Full Report]
byJeremiah Grossman
 
PDF
Safe code CSA cloud final1213
byGiuliano Tavaroli
 
PPTX
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
byMojave Networks
 
PDF
Taking Open Source Security to the Next Level
bySBWebinars
 
PDF
PCI and Vulnerability Assessments - What’s Missing?
byBlack Duck by Synopsys
 
PDF
Webinar: Systems Failures Fuel Security-Focused Design Practices
bySynopsys Software Integrity Group
 
PDF
2013 Incident Response Survey
byFireEye, Inc.
 
PDF
Thinking of choosing Trend Micro?
bySymantec
 
PDF
Open Source Outlook: Expected Developments for 2016
byBlack Duck by Synopsys
 
PPTX
Supply Chain Solutions for Modern Software Development
bySonatype
 
PPTX
Open Source 360 Survey Results
byTim Mackey
 
PDF
20140121 cisec-safety criticalsoftwaredevelopment
byCISEC
 
PPTX
A "Firewall" for Bad Binaries
bySonatype
 
The Forrester Wave™: Enterprise Mobile Management Q3 2014
bySymantec
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
byDevOps.com
 
Revolution in Mobility
byMichael Clifford, CPP
 
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
byBlack Duck by Synopsys
 
5 things about os sharon webinar final
byDevOps.com
 
10 Steps To Secure Agile Development
byCheckmarx
 
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
byCognizant
 
WhiteHat’s 12th Website Security Statistics [Full Report]
byJeremiah Grossman
 
Safe code CSA cloud final1213
byGiuliano Tavaroli
 
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
byMojave Networks
 
Taking Open Source Security to the Next Level
bySBWebinars
 
PCI and Vulnerability Assessments - What’s Missing?
byBlack Duck by Synopsys
 
Webinar: Systems Failures Fuel Security-Focused Design Practices
bySynopsys Software Integrity Group
 
2013 Incident Response Survey
byFireEye, Inc.
 
Thinking of choosing Trend Micro?
bySymantec
 
Open Source Outlook: Expected Developments for 2016
byBlack Duck by Synopsys
 
Supply Chain Solutions for Modern Software Development
bySonatype
 
Open Source 360 Survey Results
byTim Mackey
 
20140121 cisec-safety criticalsoftwaredevelopment
byCISEC
 
A "Firewall" for Bad Binaries
bySonatype
 

Similar to Fortify Continuous Delivery

PPTX
Fortify-Application_Security_Foundation_Training.pptx
byYoisRoberthTapiadeLa
 
PPTX
Fortify-Application_Security_Foundation_Training.pptx
byVictoriaChavesta
 
PDF
The complete guide to developer first application security By Github.Com
bydarelinornes
 
PDF
PDF The complete guide to developer first application security By Github.Co...
byeivimayuyu
 
PDF
The complete guide to developer first application security By Github.Com
bynootjeiviwe
 
PDF
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 
PDF
The Evolution of Cybersecurity in Software Development for 2025
byScalaCode
 
PPTX
Fortify technology
byImad Nom de famille
 
PDF
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
bySynopsys Software Integrity Group
 
PDF
SAP Fortify by Micro Focus.
byMicro Focus
 
PDF
The Future of Software Security Assurance
byRafal Los
 
PDF
Does Application Security Pay? Measuring the Business Impact of Software Secu...
byMainstay
 
PDF
Why Data Security Should Be a Priority in Your Software Development Strategy?
byMars Devs
 
PDF
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
bySonatype
 
PPTX
Best Practices for a Mature Application Security Program Webinar - February 2016
bySecurity Innovation
 
PDF
Protect Your Customers Data from Cyberattacks
bySAP Customer Experience
 
PPTX
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
byPerforce
 
PPTX
Turning security into code by Jeff Williams
byDevSecCon
 
PDF
Dependency Health: Removing the Barriers to Keeping Projects in Shape
byDevOps.com
 
PDF
Dependency Health: Removing the Barriers to Keeping Projects in Shape
byDevOps.com
 
Fortify-Application_Security_Foundation_Training.pptx
byYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
byVictoriaChavesta
 
The complete guide to developer first application security By Github.Com
bydarelinornes
 
PDF The complete guide to developer first application security By Github.Co...
byeivimayuyu
 
The complete guide to developer first application security By Github.Com
bynootjeiviwe
 
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 
The Evolution of Cybersecurity in Software Development for 2025
byScalaCode
 
Fortify technology
byImad Nom de famille
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
bySynopsys Software Integrity Group
 
SAP Fortify by Micro Focus.
byMicro Focus
 
The Future of Software Security Assurance
byRafal Los
 
Does Application Security Pay? Measuring the Business Impact of Software Secu...
byMainstay
 
Why Data Security Should Be a Priority in Your Software Development Strategy?
byMars Devs
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
bySonatype
 
Best Practices for a Mature Application Security Program Webinar - February 2016
bySecurity Innovation
 
Protect Your Customers Data from Cyberattacks
bySAP Customer Experience
 
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
byPerforce
 
Turning security into code by Jeff Williams
byDevSecCon
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
byDevOps.com
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
byDevOps.com
 

More from Mainstay

PDF
Ericsson hds 8000 wp 16
byMainstay
 
PDF
Kofax Insurance
byMainstay
 
PPTX
RFP Appendix example
byMainstay
 
PDF
Kofax medical claims_infographic
byMainstay
 
PDF
Oracle c2c IBM EPM
byMainstay
 
PDF
Oracle cdw loan servicer case study-final_for web
byMainstay
 
PDF
Oracle Exadata and Allegro cs f
byMainstay
 
PDF
Mainstay Advisor
byMainstay
 
PPTX
Discrete MFG IoT Factory of the Future
byMainstay
 
PPTX
Mainstay event conference services
byMainstay
 
PPTX
Customer BBA Process
byMainstay
 
PDF
DCI and NetApp
byMainstay
 
DOCX
Social media program
byMainstay
 
PDF
Un
byMainstay
 
PDF
Xerox Cal State Fullerton Case Study
byMainstay
 
PDF
Perona workshop process
byMainstay
 
PDF
Case study kele_bluewolf
byMainstay
 
PDF
SJSU Pioneers New Educational Methods
byMainstay
 
PDF
Cisco and SJSU
byMainstay
 
PDF
21st Century Unbounded University
byMainstay
 
Ericsson hds 8000 wp 16
byMainstay
 
Kofax Insurance
byMainstay
 
RFP Appendix example
byMainstay
 
Kofax medical claims_infographic
byMainstay
 
Oracle c2c IBM EPM
byMainstay
 
Oracle cdw loan servicer case study-final_for web
byMainstay
 
Oracle Exadata and Allegro cs f
byMainstay
 
Mainstay Advisor
byMainstay
 
Discrete MFG IoT Factory of the Future
byMainstay
 
Mainstay event conference services
byMainstay
 
Customer BBA Process
byMainstay
 
DCI and NetApp
byMainstay
 
Social media program
byMainstay
 
Un
byMainstay
 
Xerox Cal State Fullerton Case Study
byMainstay
 
Perona workshop process
byMainstay
 
Case study kele_bluewolf
byMainstay
 
SJSU Pioneers New Educational Methods
byMainstay
 
Cisco and SJSU
byMainstay
 
21st Century Unbounded University
byMainstay
 

Recently uploaded

PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
DOCX
Cloud Security, Serverless Security. Cybersecurity
byEdcelPacayraDuena
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Cloud Security, Serverless Security. Cybersecurity
byEdcelPacayraDuena
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 

Fortify Continuous Delivery

  • 1.
    Continuous Delivery ofBusiness Value with Fortify Mainstay Customer Evidence Research WHITE PAPER
  • 2.
    Continuous Delivery ofBusiness Value with Fortify WHITE PAPER 22 MEETING THE SECURITY DEMANDS OF DIGITAL TRANSFORMATION Today every business is becoming a software business. Even traditional brick-and-mortar industries are facing the necessity of software-driven “digital transformation” to stay relevant and competitive in their markets. Industrial icon GE, for instance, is developing software that harnesses data from sensors inside wind turbines to squeeze more electricity from existing wind farms.Automakers embed tens of millions of lines of code into their increasingly “smart” and “connected” vehicles.1 As software becomes core to every business — and as cloud-based software services surge in popularity — companies are developing and updating applications faster than ever before. Welcome to the new era of continuous software delivery. Continuous delivery means development teams are releasing software with new features and functionalities in increasingly shorter cycles, from every year or quarter to every month, week, or day. The approach is now woven into the DevOps environments of leading enterprises like Microsoft, Google and Facebook, which typically issue major software releases every week across their web sites, followed by daily bug fixes over the rest of the week. Forrester Research predicts that organizations will go from four application releases per year in 2010 to as many as 120 releases per year by 2020, a 30x increase.2 SECURITY TEAMS UNDER PRESSURE With the market moving to an agile, continuous delivery model, development and security teams within organizations are scrambling to keep up with the sheer number of applications and releases, which is putting pressure on a key part of the development lifecycle: software security assurance (SSA). Simply put, organizations cannot afford for security testing and remediation to slow the pace of software delivery. This challenge is complicated by several trends: • The proliferation of SaaS and mobile devices, which requires even more testing of applications for security flaws. • Many enterprises maintain hybrid environments with a mix of legacy and COTS applica- tions and varying release cycles, thus increasing the complexity of security programs. • Developers increasingly utilize downloaded code from open-source software (OSS) repositories such as Maven and GitHub, many of which are known to contain vulnerabilities. Organizations generally have been slow to respond to the challenge, in part because most of them are still using outmoded security testing tools and practices. These tools lack automated features that could enable organizations to tackle greater volumes of code and scans in less time. Often these tools cover only part of the security-testing process, a handful of specific languages, or limited deployment options, forcing organizations to switch between multiple tools during the development cycle, hurting productivity.3 A NEW ERA IN SOFTWARE SECURITY Continuous delivery of applications has become the new normal for soft- ware development organizations across every industry. Software development teams are now expected to deliver new releases and updates at a dizzying pace, putting tremendous pressure on software security teams to keep up. In this report, we detail how development organizations at leading companies are using software security solutions from Fortify to scan more applications faster, focus and streamline reme- diation efforts with better triaging, and integrate security assurance methods throughout the software development environment. No longer a production bottleneck, security teams can now support increasingly ambitious release schedules, ensuring faster time to market and freeing developers to focus on creating better software.
  • 3.
    Continuous Delivery ofBusiness Value with Fortify WHITE PAPER 3 In fact, industry analysts estimate that even though 90% of companies are engaged in application development —  and 99% agree it’s an opportunity to increase enterprise security — only 20% are doing anything about it. Gartner estimates that fewer than 20% of enterprise security architects have systematically incorporated information security into their DevOps initiatives. Fewer still have achieved the singular degree of security automation required to qualify as Secure DevOps. SHIFTING TO THE ‘LEFT’ Until recently, organizations have focused security testing and remediation efforts primarily on the later phases of the software development lifecycle. However, this is precisely when the cost of remediation is most expensive and time consuming. In addition, as tight product-launch deadlines shrink remediation windows, the probability increases that applications will be released into production with known or unknown vulnerabilities. Poor scalability of current toolsets also dictate relatively fewer scans, cutting into productivity as the number of applications and releases continues to grow. All of this represents a reactive approach to security assurance that increases the risk of project delays, compro- mises application security, and ultimately prevents organizations from scaling to meet the demands of continuous delivery. By contrast, leading organizations we researched are taking a more agile and proactive approach — one that emphasizes earlier, more frequent testing with feedback loops designed to produce progressively cleaner code. In effect, these organizations are shifting security testing operations to the “left,” thus reducing the number of vulnerabilities introduced during the coding phase, as shown below. According to a recent study, organizations that make this move end up spending 55% less time remediating security issues.5 THE EVOLUTION OF SOFTWARE SECURITY ASSURANCE Mainstay conducted initial research on the economic impact of Fortify’s appli- cation security solutions in 2010, a time when the biggest challenges facing IT and application security teams was simply finding software vulnerabilities, and finding them earlier enough to make remedi- ation easier.4 In 2013, Mainstay re-surveyed leading organizations and concluded they were still largely focused on finding and fixing as many vulnerabilities as possible, and many were choosing cloud services to extend these capabilities to third-party developers. Our latest survey found an evolving market for soft- ware security solutions, with organizations demanding greater speed and scalability to meet more ambitious release cadences. Beyond just finding every potential vulnerability, organiza- tions now want better triaging to quickly focus on and remediate flaws that pose the most serious risk to the business. Laggards Test Later and Less Frequently Leaders Deploy Software Security Throughout the Software Development Cycle • Reactive • Likelihood of discovering more vulnerabilities than available capacity to triage or remediate • Difficulty in remediating • High risk of application delays • Incompatible with frequent development releases Requirements Design Code Reviews Security Testing Penetration Testing Vulnerability Scanning Coding Integration ProductionQA Code Reviews Scope of Software Security Scans Need to “Shift Left” • Proactive • Vulnerabilities are discovered early • Easier to remediate • The number of iterations that occur across the SDLC improves time to production • The time required to fix an issue is less as you shift left, driving shorter time to production Requirements Design Code Reviews Static Code Analysis Dynamic Code Analysis Real-time Security Testing Software Security Requirements Analysis Threat Modeling Security Architecture Design Reviews Security Testing Penetration Testing Vulnerability Scanning Coding Integration ProductionQA Scope of Software Security Scans with Fortify “Shift Left” Creates the Environment to Support Frequent Releases as Well as Faster Delivery
  • 4.
    Continuous Delivery ofBusiness Value with Fortify WHITE PAPER 4 SURVEY OF SOFTWARE SECURITY OPERATIONS AT LEADING COMPANIES To understand how leading enterprises are coping with the demands of continuous software delivery, market analyst Mainstay conducted in-depth interviews with application security leaders from a diverse set of companies that adopted products and services from Fortify. Mainstay supplemented these interviews with an online survey to develop an even broader portrait of the challenges that software development and security departments face in today’s fast-paced environment. Among the companies participating in the software security survey were: • One of the world’s largest financial services holding companies. • Two of the world’s largest multinational oil and gas companies • Global peer-to-peer lending and online trading platform company • A provider of online investing services for institutions • One of the world’s largest banks with operations in over 50 countries The survey looked at five critical aspects in the software security assurance process and evaluated how the adoption of Fortify impacted each one: • Scan Setup. Ease and speed in setting up scans; how well security tools and processes are integrated with development environment • Scan Performance. Speed of scans and the number of vulnerabilities found • Triaging. How effectively vulnerabilities are prioritized and the number of false positives identified; ability to prioritize by criticality; impact of Fortify on Mean Time to Triage (MTTT) • Remediation. Number of vulnerabilities requiring fixing; remediation efficiency and speed; reduction in repeat vulnerabilities; impact of Fortify on Mean Time to Remediate (MTTR) • Scalability. Our study also looked at how organizations are deploying Fortify to flexibly scale their security processes to scan and remediate significantly more applications in less time. Metrics include the quantity of apps scanned, scan cycles performed, and developer issues avoided at the source during coding. The following sections discuss the results of the survey. • Ease • Speed • Readiness/integration with development environments • Speed • Number of vulnerabilities identified • Number of vulnerabilities to fix • Speed of fixing • Prioritize by address critical vulnerabilities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding • Speed • Number of false positives identified • Prioritizing by criticality Setting Up Scans Performing Scans Triaging Remediating Process Scalability /integration opment nts • Speed • Number of vulnerabilities identified • Number of vulnerabilities to fix • Speed of fixing • Prioritize by address critical vulnerabilities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding • Speed • Number of false positives identified • Prioritizing by criticality p Scans Performing Scans Triaging Remediating Process Scalability of lities • Number of vulnerabilities to fix • Speed of fixing • Prioritize by address critical vulnerabilities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding • Speed • Number of false positives identified • Prioritizing by criticality ng Scans Triaging Remediating Process Scalability • Number of vulnerabilities to fix • Speed of fixing • Prioritize by address critical vulnerabilities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding of false s identified ng by y ing Remediating Process Scalability of lities to fix fixing by critical lities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding ating Process Scalability WHY FORTIFY Of the companies surveyed, 54% said that Fortify was their first choice for application security software before later deciding to implement Fortify. Their top three reasons for choosing Fortify were: • Solution flexibility • Greater coverage of different programming languages and third-party code • Better ability to find and fix vulnerabilities
  • 5.
    Continuous Delivery ofBusiness Value with Fortify WHITE PAPER 5 KEY FINDING: FORTIFY PROVIDES FASTER, MORE EFFECTIVE SOFTWARE SECURITY ASSURANCE Faster Scan Setups In a continuous delivery environment, development teams must move quickly to plan and execute security scans. However, given the wide variety of programming languages and code components commonly found in a modern development environment, it can be a slow process to assemble the right security tools — and the right people and expertise — for the job. Before moving to Fortify, fewer than half of the organizations in our survey could accommodate the requirements of fast-release cycles (weekly). The Fortify platform provided coverage and integration across a broad range of development environments and languages, eliminating the need for multiple point tools and the experts necessary to operate them. On average, companies replaced about 10 tools with a single Fortify solution. This allowed organizations to streamline their software security environment, reduce complexity and improve operational efficiencies. Customers believed this offers the potential to lower the overall cost involved in software security licenses and maintenance. LESS TIME SCANNING, MORE TIME ENHANCING APPS Scanning within an integrated development environment (IDE) can take several hours and add 25% or more to development overhead. To speed the process, one Fortify customer created a centralized Hadoop repository where developers can upload code and run scans in minutes. As a result, developers avoid getting bogged down by administrative and security tasks and now have more time to focus on improving the software. The customer considers this to be a huge competitive advantage in an increasingly software- driven world. Fewer Security Tools Needed Before Fortify After Fortify $17.5K $5K $10K $15K $20K $2K 89% reduction FeeSavings 10Customers replaced 10 different point tools with Fortify, saving on integration and set-up efforts. 1 Number of Software Security Tools Faster Setups Allows More Frequent Releases Before Fortify After FortifySurvey Finding: Organizations were able to increase their ability to do weekly, monthly or quarterly releases with the same amount of resources. Percentage of companies that could support monthly or weekly release cadences 35% 100% Increasing adoption of agile environments is driving the demand for tighter process integration across the develop- ment lifecycle. Organizations that moved to the Fortify environment — which provides tools and plugins to simplify integration with existing development environments —  could create fast, automated processes for uploading code, running scans, and incorporating security checks into each phase of the development cycle. In fact, the survey found that the percentage of customers who could improve their release frequencies — from annual or quarterly to monthly, weekly, or even daily releases — increased significantly. Whereas only 35% of the respondents could do monthly or weekly releases before adopting Fortify, nearly all respondents said they could handle accelerate release schedules after adopting Fortify’s speed-enhancing rules engines, templates, and triaging technologies.
  • 6.
    Continuous Delivery ofBusiness Value with Fortify WHITE PAPER 6 More Efficient Scanning Most companies focus on combatting the top 10 common critical vulnerabilities that impact their organization (or application security landscape). For the companies surveyed in 2017, these included cross-site scripting (XSS), SQL injection, broken authentication, cross-site request forgery, and security misconfigurations. More than half of survey respondents reported that Fortify was particularly effective in finding these high-risk vulnerabilities early in the development lifecycle, when they can be remediated more easily and cheaply.6 Tools such as Fortify Security Assistant, for example, enabled developers to identify vulnerabilities in real time while they are writing code. Overall, companies using Fortify Static Code Analyzer found they could uncover tens of thousands of previously unidentified vulnerabilities. In addition, respondents said they could run the scans in a significantly shorter amount of time — from several days to just a few hours or even minutes — freeing developers to focus more time on what they do best: writing high-quality code and not waiting for scans. 6 Twice as Many True Vulnerabilities Found… Before Fortify After Fortify $17.5K 0 $5K $10K $15K $20K $2K 89% reduction SSA FeeSavings Customers reported that the number of legitimate vulnera- bilities found with Fortify was double that of other software vendors. Number of True Vulnerabilities Found 2X …With Significantly Faster Scans Before Fortify After Fortify $17.5K 0 $5K $10K $15K $20K $2K 89% reduction SSA FeeSavings Customers reported that scanning with Fortify was 10–15 times faster than with other software vendors. Speed of Scans 10–15X WHAT TYPES OF VULNERABILITIES MATTER? In our survey, most customers were concerned not just with common vulnerabilities like cross-site scripting and SQL injections, but were also worried about data breaches and the consequences that ensued, which most rated as one of their top security concerns.
  • 7.
    Continuous Delivery ofBusiness Value with Fortify WHITE PAPER 7 Better Triaging, Fewer False Positives Survey participants were attracted to Fortify’s unique ability to dig through large sets of vulnerabilities, identify those vulnerabilities that are meaningful to the organization, and quickly separate false positives and low-risk issues from serious flaws, significantly reducing mean time to triage (MTT). Many of the companies augmented their triaging routines by factoring in the latest industry intelligence and trends, and by connecting static and dynamic analyses. Several companies regularly tapped experts from Fortify to design and execute these time-saving triaging protocols. One leading data-analytics company, for example, routinely uploads code to Fortify on Demand to scan, then conducts a joint review and triaging session with the technical account manager before starting remediation. Before Fortify After Fortify $17.5K 0 $5K $10K $15K $20K $2K 89% reduction SSA FeeSavings Customers reported that the number of false positives were reduced by up to 95% with Fortify on Demand managed services offering. Reduction in False Positives 95% Fewer False Positives Improved Remediation Efforts Survey respondents repeatedly stressed the importance of finding vulnerabilities early in the development lifecycle, noting that it took nearly 100-times more effort to remediate security flaws if they’re found after software has gone into production versus during the coding process.Vulnerabilities found during quality assurance testing is less expensive to remediate but still takes about 10-times more effort and time to fix compared to the coding phase. On average organizations reported they could complete triaging and remediation tasks about 10-times faster with Fortify — from 20 days per application to just one to two days.Again, the time saved could be redirected to enhancing the software in ways that made it more appealing to end users. Before Fortify After Fortify Customers reported that, with Fortify, they are able to speed up the triaging and remediation process. 20 days per app to triage and remediate 1–2 days per app to triage and remediate 10x Faster Triaging and Remediation Faster Remediation FALSE POSITIVES CAN SLOW YOU DOWN A leading financial institution reported that scans for a large application could uncover as many as 50,000 vulnerabilities, of which 60% could consist of time-wasting false positives, flaws the organization did not deem important, or vulnerabilities that could be sorted into groups for more efficient remediation. Using Fortify’s software and managed services, the institution avoided false positives and leveraged insights that improved triaging and remediation, reducing workloads significantly. Noted one IT executive: “The only way to scale is by eliminating false positives.”
  • 8.
    Continuous Delivery ofBusiness Value with Fortify WHITE PAPER 8 KEY FINDING: FORTIFY’S SCALABILITY DRIVES CONTINUOUS DELIVERY As the number of applications continues to grow, organizations need to scale their software security programs to avoid delays in delivering releases and updates. Companies in the survey consistently identified a set of obstacles to achieving process scalability. These included: • Disparate point solutions • Manual processes/lack of automation • Poor identification of vulnerabilities • Large amount of false positives • Lack of access to security expertise When organizations combined Fortify solutions with its managed services offering, they could transform software security assurance into a fully scalable and repeatable process capable of managing the increasing operational demands of enterprise-level development organizations.8 What does true scalability look like? Before adopting Fortify, one customer in the survey could complete about 30–50 scans per quarter, covering about 25 applications. Since implementing Fortify, it can complete 300 scans covering 75 applications — a 30X increase in speed and capacity. Before Fortify After Fortify Customers reported that the number of false positives were reduced by up to 95% with Fortify and managed services support. 30–50 scans covering 25 apps 300 scans covering 75 apps 30X More Scanning, More Apps Before Fortify After Fortify Customers reported seeing a 40% reduction in repeat vulnerabilities, thus creating high-quality and secured applications. 40% Reduction in Vulnerabilities Fewer Repeat Vulnerabilities Before Fortify After Fortify Survey Finding: Fortify customers expect to double the number of applications scanned in the future. 2X X Scaling Up for the Future
  • 9.
    Continuous Delivery ofBusiness Value with Fortify WHITE PAPER 9 KEY FINDING: FORTIFY ENABLES FASTER TIME TO MARKET When organizations used Fortify to accelerate and improve the quality of their software security testing and remediation, they significantly reduced the length of their software development lifecycles, helping teams throughout the organization meet rapid-release deadlines. As illustrated below, before adopting Fortify, organizations faced longer testing timelines — the result of less- frequent and later-cycle scanning and remediation efforts. Respondents reported that late-cycle security “surprises” could easily threaten market launches. With Fortify, organizations can scan code, find and fix vulnerabilities in frequent iterations starting early in the lifecycle, and leverage advanced triaging techniques to shrink cycles even further.The result: A greater number of relevant vulnerabilities are uncovered and remediated earlier, and tail-end surprises are minimized. Furthermore, repeat vulnerabilities are progressively reduced because developers learn to code more securely, resulting in cleaner and more secure code in each future cycle. NumberofVulnerabilitiesFound Time Time Scalability and Time to Market Acceleration 30X More 2X More Vulnerabilities Found More Vulnerabilities Remediated 10X Faster 10–15X Faster Scans 95% Fewer False Positives Effort Peaks High Risk Rare Release Events “Waterfall Methodology” Smoother Effort Less Risk Frequent Release Events “Agile Methodology” Without Fortify With Fortify Faster Time to Market with Fortify KEY FINDING: FORTIFY IMPROVES MANAGEMENT OF EXTENDED DEVELOPMENT ECOSYSTEMS Managing Third-Party Developers Many organizations today supplement their in-house developers with third-party coding contractors. Operationalizing the software security process to include these external teams, however, can be a complex challenge for development organizations. Several of the companies we studied are using Fortify on Demand to extend security testing and quality control to third party developers. Some have created innovative “pay for performance” programs that enabled companies to adjust fees paid to outsourcing partners based on the “cleanliness” of the code delivered. The result: improved product quality and better value for the money spent on outside vendors.
  • 10.
    Continuous Delivery ofBusiness Value with Fortify WHITE PAPER 10 Simplify and reduce SSA set-up time Scan faster Find more vulnerabilities Triage and audit faster Reduce number of false positives Reduce remediation effort Avoid repeat vulnerabilties 10 point tools 1 to 3 weeks per app Thousands per app 1 to 2 weeks per app 1,000 to 50,000 per app 3 to 4 weeks Repeat vulnerabilities common Single end-to-end tool A few hours to 1 day At least 2X more true vulnerabilities found 1 to 2 days 10s to 100s, 95% reduction 1 to 2 weeks Repeat vulnerabilities reduced by 40% Before FortifyBenefits After Fortify Scalability 30 to 50 scans covering 25 apps per quarter 300 scans covering 75 apps per quarter Summary of Operational Improvements from Fortify EMPOWERING CONTINUOUS DELIVERY Mainstay’s previous research identified Fortify as one of the leaders in helping organizations find more vulnerabilities, and doing so earlier in the software development lifecycle. The current survey clearly confirmed this earlier conclusion — with customers reporting they found twice as many relevant vulnerabilities with Fortify compared to competing solutions. However, in this survey, organizations pointed to additional benefits that were equally, if not more, critical to success. These included Fortify’s ability to produce fewer false positives, and its ability to provide rich insights and correlations to efficiently remediate the remaining valid vulnerabilities. Together these capabilities are giving organizations the means to support their expanding development environments and significantly faster release cadences. BENEFIT SUMMARY The figure below summarizes the range of benefits that organizations can achieve by adopting Fortify. In addition to the operational improvements, many of the organizations found that Fortify enabled them to: • Accelerate application time to market • Reduce disaster recovery and data breach costs • Get better value for services from third-party development vendors TEAMING WITH FORTIFY FOR GREATER ASSURANCE To realize the full potential of their SSA programs, organizations augmented their Fortify solutions with managed services and resources from Fortify’s professional services team. These include best practices, metrics, and templates designed to ensure a predictable and measurable software security process.
  • 11.
    Continuous Delivery ofBusiness Value with Fortify WHITE PAPER 11 THE WAY FORWARD For companies that leverage software to compete, the ability to rapidly develop and update applications has become a strategic necessity. Application development teams are addressing this demand for continuous software delivery by moving from annual and quarterly releases to monthly, weekly and even daily releases. For software security teams, this translates into a set of challenges beyond just uncovering as many vulnerabilities as possible, as early as possible. To sustain fast-paced continuous delivery environments and ever-growing volumes of applications, security teams will need to introduce more automation and achieve even greater levels of operational efficiency. In this survey of leading companies, we found that Fortify is changing the game for development and security teams. Using Fortify’s end-to-end application security solutions, organizations can test application code and remediate vulnerabilities faster and more effectively than ever before. Driving the speed and performance boost is a new generation of triaging tools and technologies that virtually eliminate false-positives and isolate valid vulnerabilities for swift remediation. Going forward, release cadences will only get faster, forcing IT to condense development cycles even more. It is a trend that will compel greater numbers of organizations to adopt next-generation security assurance technologies that can scale exponentially and ensure continuous delivery as the business’s reliance on software grows. In this new era, Fortify will continue to innovate and help organizations keep pace with high-performance application security solutions and services. For more information about Fortify, visit fortify.com. ENDNOTES 1 When automotive manufacturer Tesla discovers an issue with its cars, it delivers the software directly to the owner via a download the owner initiates in the car, saving Tesla millions of dollars. Traditional automobiles, by contrast, require expensive physical recalls when an engineering or manufacturing issue is discovered. 2 “Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013. 3 The average development organization uses as many as 10 security testing and remediation tools. 4 This current survey builds on earlier studies of the business impact of Fortify solutions. See:“Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions,” Mainstay, 2010 (updated 2013). http://h30528.www3.hp.com/Security/Fortify_Mainstay_ROI_Study.pdf 5 “Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013. 6 A leading bank reported that a scan for a large application could throw up as much as 50,000 vulnerabilities. 7 Fortify’s more than 50,000 pre-defined rules across several programming languages contributed to finding more vulnerabilities, companies said. 8 A typical Fortify on Demand environment can comprise about 400 developers and 75 applications built using Java (80%), .NET (12%) and Mobile (8%). 9 “Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013.
  • 12.
    Sponsored by: Research andanalysis for this study was conducted by Mainstay, an independent consulting firm that has performed over 300 studies for leading information technology providers including Cisco, Oracle, SAP, Microsoft, Dell, Lexmark, HP, EMC and NetApp. This case study was based on interviews with security executives currently using SSA solutions. Information contained in the publication has been obtained from sources considered reliable, but is not warranted by Mainstay. Copyright © 2017 Mainstay. Mainstay www.mainstaycompany.com 2929 Campus Drive, Suite 150 San Mateo, CA, 94405 p. 650.638.0575 f. 650.638.0578