Operations

3/7/2018
10:30 AM
Ayman Sayed
Ayman Sayed
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Security-Driven Companies Are More Successful

Software Security Masters are better at handling application development security and show much higher growth than their peers. Here's how to become one.

Strong revenue streams, adoring customers, and inspiring leaders are the usual hallmarks of a well-run business. When investors look to new companies to support, these factors are the ones that show whether a business will succeed or fail. Recently released research shows that business analysts should add one more: secure software.

A Freeform Dynamics survey (commissioned by CA Technologies) discovered an elite class of businesses that have ingrained security into their operations — deemed "Software Security Masters." They make up approximately one-third of the enterprises surveyed and include those that are better at handling application development security.

These Software Security Masters are more likely than their mainstream peers to see effective security as an enabler of increased business performance. This manifests itself in the form of superior metrics and outcomes in relation to software delivery. It is no coincidence that these organizations are seeing 40% higher revenue growth and 50% higher profit growth than their mainstream peers.

So, how do businesses tap into the benefits these Masters are seeing?

The trick is to make security a part of the DNA of the business and its operations. When businesses fall on hard times, executives turn to cut budgets on apparent luxuries, which they may imagine include security. This approach only helps in the short term as it creates a debt of security problems that will need to be fixed later.

Take a look at vulnerabilities from the chip manufacturers in Spectre and Meltdown — vulnerabilities that go back 20 years, despite only being discovered this year. These chips were developed based on a certain set of organizational priorities — processor speed and frequent deployments to outpace Moore's Law — with little or no concern for security.

Organizational culture has an influence on how priorities — which are driven by executives who dictate what matters to them — are executed. If executives see security as a core part of their business, they will avoid accruing this debt and instead look for ways to speed up application development processes because of, not despite, security.

But a successful Security Mastery movement needs to empower more than just executives to look at security differently. Full integration includes the developers. Once they see security as an important part of their organization, they can start to take responsibility for the security of their own code.

The benefits of security integration throughout an entire business allows companies to become more efficient across the board. Shifting security "left" in the development process takes the strain off quality assurance teams that no longer need to identify and fix basic vulnerabilities. Instead, they'll be able to use that time to get updates to customers faster and improve application performance.

With delivery life cycles shortening, it is essential that security becomes embedded into every step of the software life cycle: requirements, gathering, design, code creation, deployment, and operation. Special attention should also be paid to continuous testing capabilities at every step. In order to inject security into the DNA of the DevOps teams, organizations must know the point from where they are starting and begin with a thorough assessment of their current capabilities, strengths, and weaknesses.

Security Mastery is not so much a series of processes as it is an organizational mindset. While the size of this group of Masters may seem random, it appears to be a theme across other areas of innovation as well. Other surveys in this series found similar sized groups of Masters in other areas and elements of application development, such as automation and the ability to respond quickly to changing demands. Overall, it reflects how adopting a mindset of agility in the development life cycle can lead to great results, not only for the end product but also for the whole business.

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ayman Sayed is President and Chief Product Officer at CA Technologies, responsible for the strategy and development of the company's full portfolio of Enterprise products and solutions. His mandate is to focus on building a differentiated product portfolio meant to help CA ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10016
PUBLISHED: 2019-03-25
GForge Advanced Server 6.4.4 allows XSS via the commonsearch.php words parameter, as demonstrated by a snippet/search/?words= substring.
CVE-2019-10018
PUBLISHED: 2019-03-25
An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PostScriptFunction::exec at Function.cc for the psOpIdiv case.
CVE-2019-10019
PUBLISHED: 2019-03-25
An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PSOutputDev::checkPageSlice at PSOutputDev.cc for nStripes.
CVE-2019-10020
PUBLISHED: 2019-03-25
An issue was discovered in Xpdf 4.01.01. There is an FPE in the function Splash::scaleImageYuXu at Splash.cc for x Bresenham parameters.
CVE-2019-10021
PUBLISHED: 2019-03-25
An issue was discovered in Xpdf 4.01.01. There is an FPE in the function ImageStream::ImageStream at Stream.cc for nComps.