Fortify Continuous Delivery

Continuous Delivery of Business Value with FortifyMainstay Customer Evidence Research

WHITE PAPER

Continuous Delivery of Business Value with Fortify WHITE PAPER

22

MEETING THE SECURITY DEMANDS OF DIGITAL TRANSFORMATION

Today every business is becoming a software business. Even traditional brick-and-mortar industries are facing the necessity of software-driven “digital transformation” to stay relevant and competitive in their markets. Industrial icon GE, for instance, is developing software that harnesses data from sensors inside wind turbines to squeeze more electricity from existing wind farms. Automakers embed tens of millions of lines of code into their increasingly “smart” and “connected” vehicles.1

As software becomes core to every business — and as cloud-based software services surge in popularity — companies are developing and updating applications faster than ever before. Welcome to the new era of continuous software delivery. Continuous delivery means development teams are releasing software with new features and functionalities in increasingly shorter cycles, from every year or quarter to every month, week, or day.

The approach is now woven into the DevOps environments of leading enterprises like Microsoft, Google and Facebook, which typically issue major software releases every week across their web sites, followed by daily bug fixes over the rest of the week. Forrester Research predicts that organizations will go from four application releases per year in 2010 to as many as 120 releases per year by 2020, a 30x increase.2

SECURITY TEAMS UNDER PRESSURE

With the market moving to an agile, continuous delivery model, development and security teams within organizations are scrambling to keep up with the sheer number of applications and releases, which is putting pressure on a key part of the development lifecycle: software security assurance (SSA). Simply put, organizations cannot afford for security testing and remediation to slow the pace of software delivery.

This challenge is complicated by several trends:

• The proliferation of SaaS and mobile devices, which requires even more testing of applications for security flaws.

• Many enterprises maintain hybrid environments with a mix of legacy and COTS applica-tions and varying release cycles, thus increasing the complexity of security programs.

• Developers increasingly utilize downloaded code from open-source software (OSS) repositories such as Maven and GitHub, many of which are known to contain vulnerabilities.

Organizations generally have been slow to respond to the challenge, in part because most of them are still using outmoded security testing tools and practices. These tools lack automated features that could enable organizations to tackle greater volumes of code and scans in less time. Often these tools cover only part of the security-testing process, a handful of specific languages, or limited deployment options, forcing organizations to switch between multiple tools during the development cycle, hurting productivity.3

A NEW ERA IN SOFTWARE SECURITY Continuous delivery of applications has become the new normal for software development organizations across every industry. Software development teams are now expected to deliver new releases and updates at a dizzying pace, putting tremendous pressure on software security teams to keep up. In this report, we detail how development organizations at leading companies are using software security solutions from Fortify to scan more applications faster, focus and streamline reme-diation efforts with better triaging, and integrate security assurance methods throughout the software development environment. No longer a production bottleneck, security teams can now support increasingly ambitious release schedules, ensuring faster time to market and freeing developers to focus on creating better software.


3

In fact, industry analysts estimate that even though 90% of companies are engaged in application development — and 99% agree it’s an opportunity to increase enterprise security — only 20% are doing anything about it. Gartner estimates that fewer than 20% of enterprise security architects have systematically incorporated information security into their DevOps initiatives. Fewer still have achieved the singular degree of security automation required to qualify as Secure DevOps.

SHIFTING TO THE ‘LEFT’

Until recently, organizations have focused security testing and remediation efforts primarily on the later phases of the software development lifecycle. However, this is precisely when the cost of remediation is most expensive and time consuming. In addition, as tight product-launch deadlines shrink remediation windows, the probability increases that applications will be released into production with known or unknown vulnerabilities. Poor scalability of current toolsets also dictate relatively fewer scans, cutting into productivity as the number of applications and releases continues to grow.

All of this represents a reactive approach to security assurance that increases the risk of project delays, compro-mises application security, and ultimately prevents organizations from scaling to meet the demands of continuous delivery. By contrast, leading organizations we researched are taking a more agile and proactive approach — one that emphasizes earlier, more frequent testing with feedback loops designed to produce progressively cleaner code.

In effect, these organizations are shifting security testing operations to the “left,” thus reducing the number of vulnerabilities introduced during the coding phase, as shown below. According to a recent study, organizations that make this move end up spending 55% less time remediating security issues.5

THE EVOLUTION OF SOFTWARE SECURITY ASSURANCE

Mainstay conducted initial research on the economic impact of Fortify’s application security solutions in 2010, a time when the biggest challenges facing IT and application security teams was simply finding software vulnerabilities, and finding them earlier enough to make remediation easier.4 In 2013, Mainstay re-surveyed leading organizations and concluded they were still largely focused on finding and fixing as many vulnerabilities as possible, and many were choosing cloud services to extend these capabilities to third-party developers.

Our latest survey found an evolving market for software security solutions, with organizations demanding greater speed and scalability to meet more ambitious release cadences. Beyond just finding every potential vulnerability, organiza-tions now want better triaging to quickly focus on and remediate flaws that pose the most serious risk to the business.

Laggards Test Later and Less Frequently

Leaders Deploy Software Security Throughout the Software Development Cycle

• Reactive• Likelihood of discovering more

vulnerabilities than available capacity to triage or remediate

• Difficulty in remediating• High risk of application delays• Incompatible with frequent development releases

Requirements Design

Code Reviews

Security Testing Penetration Testing Vulnerability Scanning

Coding Integration ProductionQA

Code Reviews

Security Testing Penetration Testing Vulnerability

Scanning

Scope of Software Security Scans

Need to “Shift Left”

• Proactive• Vulnerabilities are discovered early• Easier to remediate

• The number of iterations that occur across the SDLC improves time to production

• The time required to fix an issue is less as you shift left, driving shorter time to production

Requirements Design

Code Reviews

Static Code Analysis

DynamicCode

Analysis

Real-time Security Testing

SoftwareSecurity

Requirements Analysis

ThreatModeling

Security Architecture

DesignReviews

Security Testing

Penetration Testing

Vulnerability Scanning

Coding Integration ProductionQA

Scope of Software Security Scans with Fortify

“Shift Left” Creates the Environment to Support Frequent Releases as Well as Faster Delivery


4

SURVEY OF SOFTWARE SECURITY OPERATIONS AT LEADING COMPANIESTo understand how leading enterprises are coping with the demands of continuous software delivery, market analyst Mainstay conducted in-depth interviews with application security leaders from a diverse set of companies that adopted products and services from Fortify. Mainstay supplemented these interviews with an online survey to develop an even broader portrait of the challenges that software development and security departments face in today’s fast-paced environment.

Among the companies participating in the software security survey were:

• One of the world’s largest financial services holding companies.

• Two of the world’s largest multinational oil and gas companies

• Global peer-to-peer lending and online trading platform company

• A provider of online investing services for institutions

• One of the world’s largest banks with operations in over 50 countries

The survey looked at five critical aspects in the software security assurance process and evaluated how the adoption of Fortify impacted each one:

• Scan Setup. Ease and speed in setting up scans; how well security tools and processes are integrated with development environment

• Scan Performance. Speed of scans and the number of vulnerabilities found

• Triaging. How effectively vulnerabilities are prioritized and the number of false positives identified; ability to prioritize by criticality; impact of Fortify on Mean Time to Triage (MTTT)

• Remediation. Number of vulnerabilities requiring fixing; remediation efficiency and speed; reduction in repeat vulnerabilities; impact of Fortify on Mean Time to Remediate (MTTR)

• Scalability. Our study also looked at how organizations are deploying Fortify to flexibly scale their security processes to scan and remediate significantly more applications in less time. Metrics include the quantity of apps scanned, scan cycles performed, and developer issues avoided at the source during coding.

The following sections discuss the results of the survey.

• Ease• Speed• Readiness/integration

with developmentenvironments

• Speed• Number of

vulnerabilities identified

• Number of vulnerabilities to fix

• Speed of fixing• Prioritize by

address critical vulnerabilities first

• Number of apps• Number of scan cycles• Developer issues

avoided at source during coding

• Speed• Number of false

positives identified• Prioritizing by

criticality

Setting Up Scans Performing Scans Triaging Remediating Process Scalability












criticality













criticality













criticality













criticality


WHY FORTIFY

Of the companies surveyed, 54% said that Fortify was their first choice for application security software before later deciding to implement Fortify. Their top three reasons for choosing Fortify were:

• Solution flexibility

• Greater coverage of different programming languages and third-party code

• Better ability to find and fix vulnerabilities


5

KEY FINDING: FORTIFY PROVIDES FASTER, MORE EFFECTIVE SOFTWARE SECURITY ASSURANCE

Faster Scan Setups

In a continuous delivery environment, development teams must move quickly to plan and execute security scans. However, given the wide variety of programming languages and code components commonly found in a modern development environment, it can be a slow process to assemble the right security tools — and the right people and expertise — for the job. Before moving to Fortify, fewer than half of the organizations in our survey could accommodate the requirements of fast-release cycles (weekly).

The Fortify platform provided coverage and integration across a broad range of development environments and languages, eliminating the need for multiple point tools and the experts necessary to operate them. On average, companies replaced about 10 tools with a single Fortify solution. This allowed organizations to streamline their software security environment, reduce complexity and improve operational efficiencies. Customers believed this offers the potential to lower the overall cost involved in software security licenses and maintenance.

LESS TIME SCANNING, MORE TIME ENHANCING APPS

Scanning within an integrated development environment (IDE) can take several hours and add 25% or more to development overhead. To speed the process, one Fortify customer created a centralized Hadoop repository where developers can upload code and run scans in minutes. As a result, developers avoid getting bogged down by administrative and security tasks and now have more time to focus on improving the software. The customer considers this to be a huge competitive advantage in an increasingly software-driven world.

Fewer Security Tools Needed

Before Fortify After Fortify

$17.5K

0

$5K

$10K

$15K

$20K

$2K

89%reduction

SSA

Fee

Savi

ngs

10Customers replaced 10 different point tools with Fortify, saving on integration and set-up efforts.

1

Number ofSoftwareSecurity

Tools

Faster Setups Allows More Frequent Releases

Before Fortify After FortifySurvey Finding: Organizations were able to increase their ability to do weekly, monthly or quarterly releases with the same amount of resources.

Percentage of companies that could support monthly or weekly release cadences

35%100%

Increasing adoption of agile environments is driving the demand for tighter process integration across the development lifecycle. Organizations that moved to the Fortify environment — which provides tools and plugins to simplify integration with existing development environments — could create fast, automated processes for uploading code, running scans, and incorporating security checks into each phase of the development cycle.

In fact, the survey found that the percentage of customers who could improve their release frequencies — from annual or quarterly to monthly, weekly, or even daily releases — increased significantly. Whereas only 35% of the respondents could do monthly or weekly releases before adopting Fortify, nearly all respondents said they could handle accelerate release schedules after adopting Fortify’s speed-enhancing rules engines, templates, and triaging technologies.


6

More Efficient Scanning

Most companies focus on combatting the top 10 common critical vulnerabilities that impact their organization (or application security landscape). For the companies surveyed in 2017, these included cross-site scripting (XSS), SQL injection, broken authentication, cross-site request forgery, and security misconfigurations.

More than half of survey respondents reported that Fortify was particularly effective in finding these high-risk vulnerabilities early in the development lifecycle, when they can be remediated more easily and cheaply.6 Tools such as Fortify Security Assistant, for example, enabled developers to identify vulnerabilities in real time while they are writing code.

Overall, companies using Fortify Static Code Analyzer found they could uncover tens of thousands of previously unidentified vulnerabilities. In addition, respondents said they could run the scans in a significantly shorter amount of time — from several days to just a few hours or even minutes — freeing developers to focus more time on what they do best: writing high-quality code and not waiting for scans.

6

Twice as Many True Vulnerabilities Found…


$17.5K

0

$5K

$10K

$15K

$20K

$2K

89%reduction

SSA

Fee

Savi

ngs

Customers reported that the number of legitimate vulnera-bilities found with Fortify was double that of other software vendors.

Numberof True

VulnerabilitiesFound2X

…With Significantly Faster Scans


$17.5K

0

$5K

$10K

$15K

$20K

$2K

89%reduction

SSA

Fee

Savi

ngs

Customers reported that scanning with Fortify was 10–15 times faster than with other software vendors.

Speed of Scans

10–15X

WHAT TYPES OF VULNERABILITIES MATTER?

In our survey, most customers were concerned not just with common vulnerabilities like cross-site scripting and SQL injections, but were also worried about data breaches and the consequences that ensued, which most rated as one of their top security concerns.


7

Better Triaging, Fewer False Positives

Survey participants were attracted to Fortify’s unique ability to dig through large sets of vulnerabilities, identify those vulnerabilities that are meaningful to the organization, and quickly separate false positives and low-risk issues from serious flaws, significantly reducing mean time to triage (MTT).

Many of the companies augmented their triaging routines by factoring in the latest industry intelligence and trends, and by connecting static and dynamic analyses. Several companies regularly tapped experts from Fortify to design and execute these time-saving triaging protocols. One leading data-analytics company, for example, routinely uploads code to Fortify on Demand to scan, then conducts a joint review and triaging session with the technical account manager before starting remediation.


$17.5K

0

$5K

$10K

$15K

$20K

$2K

89%reduction

SSA

Fee

Savi

ngs

Customers reported that the number of false positives were reduced by up to 95% with Fortify on Demand managed services offering.

Reduction in False

Positives95%

Fewer False Positives

Improved Remediation Efforts

Survey respondents repeatedly stressed the importance of finding vulnerabilities early in the development lifecycle, noting that it took nearly 100-times more effort to remediate security flaws if they’re found after software has gone into production versus during the coding process. Vulnerabilities found during quality assurance testing is less expensive to remediate but still takes about 10-times more effort and time to fix compared to the coding phase.

On average organizations reported they could complete triaging and remediation tasks about 10-times faster with Fortify — from 20 days per application to just one to two days. Again, the time saved could be redirected to enhancing the software in ways that made it more appealing to end users.


Customers reported that, with Fortify, they are able to speed up the triaging and remediation process.

20 daysper app to triage and remediate

1–2 daysper app to triage and remediate

10xFaster

Triaging and Remediation

Faster Remediation

FALSE POSITIVES CAN SLOW YOU DOWN

A leading financial institution reported that scans for a large application could uncover as many as 50,000 vulnerabilities, of which 60% could consist of time-wasting false positives, flaws the organization did not deem important, or vulnerabilities that could be sorted into groups for more efficient remediation. Using Fortify’s software and managed services, the institution avoided false positives and leveraged insights that improved triaging and remediation, reducing workloads significantly. Noted one IT executive: “The only way to scale is by eliminating false positives.”


8

KEY FINDING: FORTIFY’S SCALABILITY DRIVES CONTINUOUS DELIVERY

As the number of applications continues to grow, organizations need to scale their software security programs to avoid delays in delivering releases and updates. Companies in the survey consistently identified a set of obstacles to achieving process scalability. These included:

• Disparate point solutions

• Manual processes/lack of automation

• Poor identification of vulnerabilities

• Large amount of false positives

• Lack of access to security expertise

When organizations combined Fortify solutions with its managed services offering, they could transform software security assurance into a fully scalable and repeatable process capable of managing the increasing operational demands of enterprise-level development organizations.8

What does true scalability look like? Before adopting Fortify, one customer in the survey could complete about 30–50 scans per quarter, covering about 25 applications. Since implementing Fortify, it can complete 300 scans covering 75 applications — a 30X increase in speed and capacity.


Customers reported that the number of false positives were reduced by up to 95% with Fortify and managed services support.

30–50 scans covering25 apps

300 scans covering75 apps

30X

More Scanning, More Apps


Customers reported seeing a 40% reduction in repeat vulnerabilities, thus creating high-quality and secured applications.

40%Reduction in

Vulnerabilities

Fewer Repeat Vulnerabilities


Survey Finding: Fortify customers expect to double the number of applications scanned in the future.

2X

X

Scaling Up for the Future


9

KEY FINDING: FORTIFY ENABLES FASTER TIME TO MARKET

When organizations used Fortify to accelerate and improve the quality of their software security testing and remediation, they significantly reduced the length of their software development lifecycles, helping teams throughout the organization meet rapid-release deadlines. As illustrated below, before adopting Fortify, organizations faced longer testing timelines — the result of less-frequent and later-cycle scanning and remediation efforts. Respondents reported that late-cycle security “surprises” could easily threaten market launches.

With Fortify, organizations can scan code, find and fix vulnerabilities in frequent iterations starting early in the lifecycle, and leverage advanced triaging techniques to shrink cycles even further. The result: A greater number of relevant vulnerabilities are uncovered and remediated earlier, and tail-end surprises are minimized. Furthermore, repeat vulnerabilities are progressively reduced because developers learn to code more securely, resulting in cleaner and more secure code in each future cycle.

Num

ber o

f Vul

nera

bilit

ies

Foun

d

Time Time

Scalability and Time to Market Acceleration 30X More

2X MoreVulnerabilities Found

MoreVulnerabilities Remediated10X Faster

10–15X Faster Scans

95% Fewer False Positives

Effort PeaksHigh Risk

Rare Release Events“Waterfall Methodology”

Smoother EffortLess Risk

Frequent Release Events“Agile Methodology”

Without Fortify With Fortify

Faster Time to Market with Fortify

KEY FINDING: FORTIFY IMPROVES MANAGEMENT OF EXTENDED DEVELOPMENT ECOSYSTEMS

Managing Third-Party Developers

Many organizations today supplement their in-house developers with third-party coding contractors. Operationalizing the software security process to include these external teams, however, can be a complex challenge for development organizations.

Several of the companies we studied are using Fortify on Demand to extend security testing and quality control to third party developers. Some have created innovative “pay for performance” programs that enabled companies to adjust fees paid to outsourcing partners based on the “cleanliness” of the code delivered. The result: improved product quality and better value for the money spent on outside vendors.


10

Simplify and reduce SSA set-up time

Scan faster

Find more vulnerabilities

Triage and audit faster

Reduce number of false positives

Reduce remediation effort

Avoid repeat vulnerabilties

10 point tools

1 to 3 weeks per app

Thousands per app

1 to 2 weeks per app

1,000 to 50,000 per app

3 to 4 weeks

Repeat vulnerabilities common

Single end-to-end tool

A few hours to 1 day

At least 2X more true vulnerabilities found

1 to 2 days

10s to 100s, 95% reduction

1 to 2 weeks

Repeat vulnerabilities reduced by 40%

Before FortifyBenefits After Fortify

Scalability 30 to 50 scans covering25 apps per quarter

300 scans covering75 apps per quarter

Summary of Operational Improvements from Fortify

EMPOWERING CONTINUOUS DELIVERY

Mainstay’s previous research identified Fortify as one of the leaders in helping organizations find more vulnerabilities, and doing so earlier in the software development lifecycle. The current survey clearly confirmed this earlier conclusion — with customers reporting they found twice as many relevant vulnerabilities with Fortify compared to competing solutions.

However, in this survey, organizations pointed to additional benefits that were equally, if not more, critical to success. These included Fortify’s ability to produce fewer false positives, and its ability to provide rich insights and correlations to efficiently remediate the remaining valid vulnerabilities. Together these capabilities are giving organizations the means to support their expanding development environments and significantly faster release cadences.

BENEFIT SUMMARYThe figure below summarizes the range of benefits that organizations can achieve by adopting Fortify. In addition to the operational improvements, many of the organizations found that Fortify enabled them to:

• Accelerate application time to market

• Reduce disaster recovery and data breach costs

• Get better value for services from third-party development vendors

TEAMING WITH FORTIFY FOR GREATER ASSURANCE

To realize the full potential of their SSA programs, organizations augmented their Fortify solutions with managed services and resources from Fortify’s professional services team. These include best practices, metrics, and templates designed to ensure a predictable and measurable software security process.


11

THE WAY FORWARDFor companies that leverage software to compete, the ability to rapidly develop and update applications has become a strategic necessity. Application development teams are addressing this demand for continuous software delivery by moving from annual and quarterly releases to monthly, weekly and even daily releases.

For software security teams, this translates into a set of challenges beyond just uncovering as many vulnerabilities as possible, as early as possible. To sustain fast-paced continuous delivery environments and ever-growing volumes of applications, security teams will need to introduce more automation and achieve even greater levels of operational efficiency.

In this survey of leading companies, we found that Fortify is changing the game for development and security teams. Using Fortify’s end-to-end application security solutions, organizations can test application code and remediate vulnerabilities faster and more effectively than ever before. Driving the speed and performance boost is a new generation of triaging tools and technologies that virtually eliminate false-positives and isolate valid vulnerabilities for swift remediation.

Going forward, release cadences will only get faster, forcing IT to condense development cycles even more. It is a trend that will compel greater numbers of organizations to adopt next-generation security assurance technologies that can scale exponentially and ensure continuous delivery as the business’s reliance on software grows. In this new era, Fortify will continue to innovate and help organizations keep pace with high-performance application security solutions and services.

For more information about Fortify, visit fortify.com.

ENDNOTES

1 When automotive manufacturer Tesla discovers an issue with its cars, it delivers the software directly to the owner via a download the owner initiates in the car, saving Tesla millions of dollars. Traditional automobiles, by contrast, require expensive physical recalls when an engineering or manufacturing issue is discovered.

2 “Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013.

3 The average development organization uses as many as 10 security testing and remediation tools.

4 This current survey builds on earlier studies of the business impact of Fortify solutions. See: “Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions,” Mainstay, 2010 (updated 2013). http://h30528.www3.hp.com/Security/Fortify_Mainstay_ROI_Study.pdf

5 “Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013.

6 A leading bank reported that a scan for a large application could throw up as much as 50,000 vulnerabilities.7 Fortify’s more than 50,000 pre-defined rules across several programming languages contributed to finding more vulnerabilities, companies said.8 A typical Fortify on Demand environment can comprise about 400 developers and 75 applications built using Java (80%), .NET (12%) and Mobile (8%).9“Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013.

Sponsored by:

Research and analysis for this study was conducted by Mainstay, an independent consulting firm that has performed over 300 studies for

leading information technology providers including Cisco, Oracle, SAP, Microsoft, Dell, Lexmark, HP, EMC and NetApp.

This case study was based on interviews with security executives currently using SSA solutions. Information contained in the publication has been obtained

from sources considered reliable, but is not warranted by Mainstay.

Copyright © 2017 Mainstay.

Mainstaywww.mainstaycompany.com

2929 Campus Drive, Suite 150 San Mateo, CA, 94405

p. 650.638.0575f. 650.638.0578

Technology

Fortify Continuous Delivery