Jeremy Dallman (Senior Security Program Manager, Microsoft Security Engineering Center) kindly emailed me some information regarding my recent post entitled, “Secure (Enough) Software — Do we really know how?” Jeremy provides three resources that speak to the ROI of investing in secure code. I’ve have some follow-up thoughts at the end. In the mean time, the software security data junkies will enjoy these numbers.
“Jeremiah, I saw your blog post today and it reminded me that I hadn’t sent you a couple of recently published papers that talk specifically to the question you raise. The MidAmerican case study provides an example of the ROI companies are realizing as a result of SDL implementation. In addition, an independent Aberdeen study focuses in on the ROI and gives a larger picture derived from a study of multiple companies security practices. I also included the Forrester report I sent you previously.
MidAmerican case study that demonstrates their ROI and security improvements with data by a company who took the Microsoft SDL and built their own process: http://go.microsoft.com/?linkid=9768047
The effort even took on its own brand inside MidAmerican called the Secure Development Initiative — an initiative, by all accounts, that worked. Total threats as defined by SDL and the Fortify tool did, indeed, fall below 100 by Sept. 30th, 2009. And by 2010, MidAmerican Energy was the only business unit inside the larger holding company that external auditors found to have no security vulnerabilities whatsoever.
But everyone at MidAmerican agreed there were major benefits. SDL-based planning required groups to think more efficiently not only about how they code securely, but how they code in general. “It just becomes like any scarce resource a company has to manage,” Kerber said. “But the message was, we are not throwing up barriers here in IT, we are protecting you.” On balance, the company saw a real gain in the bottom line: Increased efficiencies and fewer fixes resulting from using the SDL-inspired approach netted a productivity gain that could be as high as 20 percent.
Aberdeen Group report (which Microsoft didn’t commission or participate in) has demonstrated data behind the SDL practices. What is called “Secure at the Source” is derived from the Simplified SDL process we defined specifically to demonstrate the transferability of the process to other companies: http://go.microsoft.com/?linkid=9768149
The Forrester Report I sent you earlier has some interesting ROI information in it also: http://go.microsoft.com/?linkid=9762340
We’re finally getting an inflow of data that speaks to the business value of software security programs, data that better justifies the resource investment to management. One of things I probably didn’t go a good job articulating in my original post is trying to evaluate and value the various pieces of an SDL, not the SDLs effectiveness overall. To my mind there is no reason to believe that each activity in BSIMM offers the same benefit as another. For example, when the average organization deploys static analysis software testing during QA it generally costs $X and reduces the number of high risk vulnerabilities in production of Y type(s) by Z%. Something just that simple would suffice. If you could only do one right now, which would it be? That answer would and probably SHOULD be custom to each organization.