Secure SDL Positive ROI Possible

In my previous post, I mentioned the lack of data on return of investment (ROI) concerning building security into the software development life cycle (SDLC). Well after commenting on the Aberdeen Group report earlier this week, another study has been published by Forrester Consulting.

The report State of Application Security - Immature Practices Fuel Inefficiencies, But Positive ROI Is Attainable was commissioned by Microsoft to survey influencial people in software development in the United States and Canada. Appendix B of the report defines the demographics of the 150 people — there is a heavy bias towards people working in the "high tech" industry sector (rather than say financial, utilities or manufacturing) with more than half their organisations having annual revenue in excess of $5 billion including the development of software products and services.

The study examined the secure development drivers, practices, effectiveness and maturity. Table 1 in the report identifies that almost half of the organisations use their own software security methodology, with others using CMM/CMMI, Microsoft SDL, OpenSAMM and DISA STIG.

The conclusions? Most of the organisations surveyed have implemented some form of application security measures, but these are not yet mature and risk is still most commonly transferred from development to operations, where the remediation costs are highest. Tactical approaches with point technologies are less effective than prescriptive application security methodologies applied strategically throughout the SDLC. Those using a more coordinated, prescriptive approach reported a better ROI for application security. However, the ROI for these organisations is not has high as suggested in the Aberdeen Group study.