A few months ago, I got in a spirited discussion with a friend about whether it is better to own or rent your home in today’s economic environment. She immediately opened up a rent-vs-buy calculator on her phone and started plugging in the various options to try to settle our argument. The math geek in me was intrigued and that night, I found myself playing around with the calculator and charting out various scenarios. But what does that have to do with application security, you ask?
Well, time and again, I get pulled into discussing the value that WhiteHat Security solutions provide over other alternatives available in the market. Seeing this rent-vs-buy calculator in use to settle a friendly argument got me thinking. Wouldn’t it be great to have a similar calculator that would evaluate all possible costs – direct, indirect, upfront, and hidden – associated with buying, configuring, implementing, and using an AppSec solution?
Factors that influence the Total Cost of Ownership
In the course of the next few weeks, I put together a pretty rudimentary spreadsheet that took into consideration all possible costs associated with implementing an AppSec solution. This spreadsheet took on a life of its own and I pulled in a team of co-workers and we spent several hours going over the various calculations, researching industry averages, and cataloging other default values for various factors like:
- The average number of vulnerabilities found in an app
- The number of hours it took per application to remove false positives
- The time it took to obtain remediation advice per app (of varying sizes)
- The hours for manual penetration testing per app
- The hourly salary for a security engineer on staff, based on geographical regions
- The hourly rates for an average penetration testing and consulting company
- Cost of program management and other professional services needed per app, and more.
Our goal was to create a calculator that would make it easier for buyers to compare the costs of AppSec solutions offered by various vendors. This would be a true comparison, keeping the value derived out of the solution, and level of service, the same for all vendors.
This TCO calculator is the culmination of those hours of iterations and research that aims to educate the buyer that the total cost of ownership of a solution is not just about the upfront license cost that you pay.
There are several AppSec Solutions available in the market today
Buyers have many choices for application security testing solutions in the market. Each solution offers certain features and benefits, though no one is exactly alike. With this TCO calculator, you can compare the following five alternatives here:
1. WhiteHat Security: The ONLY pure-play AppSec company in the Leader quadrant of the Gartner Magic Quadrant for Application Security Testing
- WhiteHat Sentinel Dynamic (DAST) and WhiteHat Sentinel Source (SAST) include the security expertise of the engineers in our Threat Research Center (TRC), who validate all vulnerability results to provide customers with near-zero false positives. Our products also come complete with unlimited access to security experts for remediation guidance, facilitated from within the product UI.
2. Cloud Solution: Such as CA Technologies/Veracode, HPE Fortify On-Demand (now MicroFocus)
- A cloud-based solution which needs to be augmented by your internal staff to review vulnerability results, remove false positives, and prioritize them for fixing.
3. On-Prem Tool: Such as IBM AppScan, HPE Fortify On-Premise, CheckMarx
- An on-premise tool, which requires internal resources to configure the tool, provide ongoing management, and to verify vulnerabilities to remove false positives.
4. Cloud + Support: Such as CA Technologies/Veracode, HPE Fortify On-Demand
- A cloud-based solution + purchasing professional services and tech support package to provide vulnerability verification, and other support. Most AppSec vendors require some investment in professional services as part of the product purchase.
5. Fully Manual: Such as your local penetration testing service provider
- A fully manual option of hiring an external penetration testing firm to conduct point-in-time, fully manual assessments.
How you can use this TCO Calculator
You can customize the input fields in the calculator to change the number of hours needed to verify and filter false positives, and for providing remediation assistance and technical support per application. You can get more granular by entering your geographical region, hourly salary paid to a security engineer on your staff, and what it costs on an hourly basis to hire a penetration testing company.
While this calculator is good for understanding relative costs, each business has its own unique requirements. To get a more refined calculation, with real dollar figures, please be in touch. Our experts can work with you to give you detailed pricing information and we can help you understand the costs you’d be likely to incur based on your precise business needs. In the meantime, please play around with this calculator and see what the numbers show you.
* Gartner, Inc., “Gartner Magic Quadrant for Application Security Testing” by Dionisio Zumerle, Ayal Tirosh, February 28, 2017.