Doug Cavit here to talk about a presentation I’m giving at the RSA Conference featuring findings from a Forrester Consulting thought leadership paper we recently released. 

We’re often asked, “What is the real return on investment for putting a secure application development program in place?”  The conventional wisdom is that doing secure application development is more expensive than not doing it, the probability of getting hacked is low and most organizations really don’t have the time or resources to do it right.  In other organizations secure development is recognized as important; but in practice, corners are cut and only a few of the activities called for in holistic security processes are actually completed. There are many examples of the failure of these philosophies in the news.   

We have thought about this for quite a while now; and we’ve concluded that the Microsoft SDL process does in fact provide return on investment beyond the costs of implementation. To date though, we haven’t systematically looked outside the company to confirm our belief that holistic processes do benefit an organization’s bottom line.

We worked with Forrester Research to refine our thoughts and to test our premises with 150 Fortune 1000 companies.  Forrester found that most of the companies in the study do not use a holistic security development process.  However, of those that did have a process (such as the Microsoft SDL), many saw improvements in overall ROI – especially when compared with those using ad hoc solutions or “checklist” approaches. 

This report gives insight into current application security development practices, exposes gaps in common processes and discusses the issues that can arise from not using a comprehensive approach to secure software development.  Additionally, the report provides guidance on potential process improvements and suggests ways to measure development security ROI.  The report can be found here:  Forrester Consulting State of Application Security Thought Leadership Whitepaper.

At 4:10 pm on Tuesday, February 15, I’ll be exploring this topic area more in depth in the Microsoft booth at RSA.  If you’re at the RSA Conference, stop by and let us know what you think!