Many enterprises struggle to quantify business value and Return On Investment (ROI), often viewing their security spend solely as an insurance expense – a must-have in today’s world of compliance regulations and inevitable cyberattacks. But by adopting the right solutions, organizations can mitigate a multitude of security challenges while enabling business agility and achieving measurable operational benefits.
This raises questions on the efficacy of SAST for organizations focused on immediate benefits. SAST does not use the actual executable/binary for analysis; it typically uses a representation of your program. This technique, no matter how good the analysis, will always result in many False Positives (FPs). And it will find defects in paths that the program would never actually implement in a live system.
Why is this important? For applications that are trivial in size, FPs may be manageable, but what happens when you have code bases that are 10MLOC (10 million Lines Of Code) or more? Some of the industry’s best SAST checkers are designed to have FP rates below 5%, but if we use a common metric of 15-50 errors per 1KLOC (thousand Lines Of Code) as reported in Steve McConnell’s Code Complete, the number of potential defects identified by SAST on that 10MLOC is approximately 150K-500K defects! Of these defects, using an ordinary SAST tool, we can typically expect approximately 7.5K-25K to be FPs.
ROI Tip: Security Reviewer SAST ensures a drastic reduction of FPs from 5% to about 2.5% further reduced to 0% for Most important Vulnerabilities, as demonstrated by OWASP Benchmark’s results; that’s why your ROI on adopting our solutions will be faster. Another strategic move is to configure automated testing tools to flag only the defects that are critical or directly relevant to the application being built. The tools find so many things, but do you need to fix them all? Of course not. Once you have our tools automated in your pipeline, you can prioritize all your defects. You can balance defect discovery, and along with it, the remediation, which can save a lot.
High Quality Software
According Capers Jones, Software industry spends about $0.50 out of every $1.00 expended for development and maintenance on finding and fixing bugs. Most forms of testing are below 35% in defect removal efficiency or remove only about one bug out of three. All tests together seldom top 85% in defect removal efficiency. About 7% of bug repairs include new bugs. About 6% of test cases have bugs of their own. These topics need to be measured, controlled, and improved. Security flaws are leading to major new costs for recovery after attacks. Better security is a major subset of software quality. A synergistic combination of defect prevention, pre-test defect removal, and formal testing by certified personnel can top 99% in defect removal efficiency while simultaneously lowering costs and shortening schedules. For companies that know how to achieve it, high quality software is faster and cheaper than low quality software.
Return Of Security Investment (ROSI)
The classical financial approach for ROI calculation is not particularly appropriate for measuring security-related initiatives: Security is not generally an investment that results in a profit. Security is more about loss prevention. In other terms, when you invest in security, you don’t expect benefits; you expect to reduce the risks threatening your assets. With this approach, the quantitative assessment the Return on Security Investment is done by calculating how much loss you avoided thanks to your investment.
Assessing security investment involves evaluating how much potential loss could be saved by an investment. Therefore, the monetary value of the investment has to be compared with the monetary value of the risk reduction. This monetary value of risk can be estimated by a quantitative risk assessment.
According ENISA, to calculate the ROI, we should consider Single Loss Expectancy (SLE), Annual Rate of Occurrence (ARO) and Annual Loss Expectancy (ALE). The Return Of Security Investment (ROSI) calculation combines the quantitative risk assessment and the cost of implementing security counter measures for this risk. In the end, it compares the ALE with the expected loss saving. Following the ROI definition, the ROSI is defined as below:
Implementing an effective security solution lowers the ALE: the more a solution is effective, the more reduced is the ALE. This monetary loss reduction can be defined by the difference of the ALE without the security solution versus the modified ALE (mALE) implementing the security solution:
Security Reviewer - ROSI
Let’s say a Customer is considering investing in a new SAST+Software Composition Analysis solution. He was working with Fortify for more than 10 years, hardly managing a large number of False Positives, with no Software Composition Analysis. After determining that it needed a new application security testing system to help with process efficiencies, monitoring capabilities, and application security, the Customer immediately looked towards a niche solution like Security Reviewer. Briefly, the company considered other solutions staying in top of Gartner and Forrester researches, but those solutions deployed legacy capabilities and did not fully meet their needs. The code is also all SaaS, and due to the company's requirements, it could not send source code externally over the cloud. The Customer needed to have source code analysis on-premises, and Security Reviewer easily met that requirement. When facilitating the Security Reviewer deployment, the Customer chose to take an "automatic" approach to challenging manual processes allowing users to focus on more value-driven work instead of analyzing the source code for vulnerabilities.
Customers can achieve a complete payback from their Security Reviewer deployment within seven months and gain up to 140% Return Of Security Investment (ROSI) per year, due to [ROI Tip] Security Reviewer’s low cost and its crucial help on defect removal efficiency.
Around 300 users, who are mainly tech leaders, developers, and data engineers, utilize our Software Composition Analysis solution to simplify the process of reviewing projects, directly inside their CI/CD platform. Our SAST platform is currently used by 60 developers to help them bring security right into the development process, allowing them to understand security needs and incorporate ideas as soon as possible. The implementation was handled by a team of three employees: two Security Analysts and one Senior Developer. The implementation project took five months to complete, with all three stakeholders only devoting 15 percent of their time each week to implement Security Reviewer. On an ongoing basis, the same three employees support the system and focus their time to help maintain the two Security Reviewer solutions. Furthermore, within the license costs, Security Reviewer provided services for fine-tuning the system, and educated the developers with quick training-in-the-job, and no additional training or third-party programs were required for the developers.
The key benefits using Security Reviewer solutions included:
Reduced coding vulnerabilities: Security Reviewer enables Customers to address all software security concerns through increased visibility, reduced vulnerability, and more actionable remediation insights. Now, testing is performed much earlier, when the developer is writing or assembling code. [ROI Tip] That reduces your remediation costs. It costs six to seven times as much to fix things late than to fix them early. Additionally, Security Reviewer allowes the company to retire legacy third-party tools and libraries incorporated within its code, thereby reducing the overall risk posture of its applications, and giving developers a more modern environment to work in.
Increased developer productivity: By using embedded Security Reviewer's Remediation Guidance, to educate developers how to create more secure code, better understand security vulnerabilities and weaknesses, and proactively discover and prevent these issues, [ROI Tip] the organization will save about two hours per week, for each of its developers. This save can be further enhanced by combine SAST with our Software Composition Analysis (SCA) features.
Increased AppSec scalability: When measuring the ability of your AppSec program to scale, look for an overall increase in the percentage of your application portfolio that’s covered by your AppSec program. In addition, track the portion of your portfolio that complies with internal and/or external security policies. These numbers both provide reliable indicators of the scale and effectiveness of your AppSec program. You can also measure the mean time to remediation to understand how quickly you fix problems: The more effectively you can fix an issue, the less it will cost your organization in time and effort. By scaling secure software delivery, you can achieve the business outcome of faster time to market for secure software. In addition, you’ll also see reduced implementation costs overall as you scale your program throughout the software development lifecycle and across your application landscape.
The most significant cost area of the SAST and SCA deployment was the product license charge itself, which soon provided a full ROI and further cost savings. Other costs over the three-year period included the minimal initial deployment cost and the cost of the three employees who support the solution on an ongoing basis. Training sessions were not required as the Customer highlighted that Security Reviewer solutions are straightforward to learn for developers.
The Customer analyzed the costs of software, hardware, personnel, professional services, and user training over a three-year period to quantify the financial institution's total investment in SAST and SCA technology.
Before adopting our solution, each year the Customer had to manual review its applications at least 5 times for solving security incidents directly related to coding vulnerabilities, forced to manage thousands of False Positives, and without concerning on third-party libraries, obtaining a poor mitigation of only 20% of issues.
Our solution expects to mitigate 80% of the issues, so we can set the Estimated RiskMitigation to 0.8. Given 100 the above mentioned costs (Cost of the Solution) per year, and 60 the cost of dataloss (SLE) occurring 5 times a year (ARO) with an Estimated Potential Loss (ALE)= (ARO*SLE) = (5 * 60), the ROSI can be calculated as follows:
The Cost of the Solution will have a payback in 7 months, since Cost of the Solution = 1.66 * SLE