Software security assurance: quantifying ROI is difficult – but can be done…
Mainstay Partners is a much-respected research company that specialises in putting a value to business propositions. When Fortify Software wanted an independent statement on the return on investment (ROI) that software companies might achieve from the use of its software security assurance (SSA) products, Mainstay Partners is where it went. The result is a new whitepaper: Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions – and, basically, yes it does (as much as $37m per annum in some cases).
We reviewed 30 software security providers and found that, while everyone talks about ROI, no one has really quantified the business value of SSA. Fortify’s effort to put some real cost and time savings against an investment in SSA is unique in the industry, and should give security executives the language they need to communicate the value of SSA in a way that resonates with senior IT and business leaders.
Amir Hartman, co-founder and managing director of Mainstay Partners
Key findings include
- Vulnerabilities per application reduced from 1000’s to 10’s
- Average time to fix a vulnerability reduced from 1 to 2 weeks to 1 to 2 hours
- The percentage of repeat vulnerabilities reduced from 80% to 0%
- Costs for compliance and penetration tests reduced from ~$500k to $250k
- Time-to-market delays due to vulnerabilities reduced from 4+ incidents (30 days each) to none