Operations

3/7/2018
10:30 AM
Ayman Sayed
Ayman Sayed
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Security-Driven Companies Are More Successful

Software Security Masters are better at handling application development security and show much higher growth than their peers. Here's how to become one.

Strong revenue streams, adoring customers, and inspiring leaders are the usual hallmarks of a well-run business. When investors look to new companies to support, these factors are the ones that show whether a business will succeed or fail. Recently released research shows that business analysts should add one more: secure software.

A Freeform Dynamics survey (commissioned by CA Technologies) discovered an elite class of businesses that have ingrained security into their operations — deemed "Software Security Masters." They make up approximately one-third of the enterprises surveyed and include those that are better at handling application development security.

These Software Security Masters are more likely than their mainstream peers to see effective security as an enabler of increased business performance. This manifests itself in the form of superior metrics and outcomes in relation to software delivery. It is no coincidence that these organizations are seeing 40% higher revenue growth and 50% higher profit growth than their mainstream peers.

So, how do businesses tap into the benefits these Masters are seeing?

The trick is to make security a part of the DNA of the business and its operations. When businesses fall on hard times, executives turn to cut budgets on apparent luxuries, which they may imagine include security. This approach only helps in the short term as it creates a debt of security problems that will need to be fixed later.

Take a look at vulnerabilities from the chip manufacturers in Spectre and Meltdown — vulnerabilities that go back 20 years, despite only being discovered this year. These chips were developed based on a certain set of organizational priorities — processor speed and frequent deployments to outpace Moore's Law — with little or no concern for security.

Organizational culture has an influence on how priorities — which are driven by executives who dictate what matters to them — are executed. If executives see security as a core part of their business, they will avoid accruing this debt and instead look for ways to speed up application development processes because of, not despite, security.

But a successful Security Mastery movement needs to empower more than just executives to look at security differently. Full integration includes the developers. Once they see security as an important part of their organization, they can start to take responsibility for the security of their own code.

The benefits of security integration throughout an entire business allows companies to become more efficient across the board. Shifting security "left" in the development process takes the strain off quality assurance teams that no longer need to identify and fix basic vulnerabilities. Instead, they'll be able to use that time to get updates to customers faster and improve application performance.

With delivery life cycles shortening, it is essential that security becomes embedded into every step of the software life cycle: requirements, gathering, design, code creation, deployment, and operation. Special attention should also be paid to continuous testing capabilities at every step. In order to inject security into the DNA of the DevOps teams, organizations must know the point from where they are starting and begin with a thorough assessment of their current capabilities, strengths, and weaknesses.

Security Mastery is not so much a series of processes as it is an organizational mindset. While the size of this group of Masters may seem random, it appears to be a theme across other areas of innovation as well. Other surveys in this series found similar sized groups of Masters in other areas and elements of application development, such as automation and the ability to respond quickly to changing demands. Overall, it reflects how adopting a mindset of agility in the development life cycle can lead to great results, not only for the end product but also for the whole business.

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ayman Sayed is President and Chief Product Officer at CA Technologies, responsible for the strategy and development of the company's full portfolio of Enterprise products and solutions. His mandate is to focus on building a differentiated product portfolio meant to help CA ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-2486
PUBLISHED: 2018-12-11
SAP Marketing (UICUAN (1.20, 1.30, 1.40), SAPSCORE (1.13, 1.14)) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
CVE-2018-2492
PUBLISHED: 2018-12-11
SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50.
CVE-2018-2494
PUBLISHED: 2018-12-11
Necessary authorization checks for an authenticated user, resulting in escalation of privileges, have been fixed in SAP Basis AS ABAP of SAP NetWeaver 700 to 750, from 750 onwards delivered as ABAP Platform.
CVE-2018-2497
PUBLISHED: 2018-12-11
The security audit log of SAP HANA, versions 1.0 and 2.0, does not log SELECT events if these events are part of a statement with the syntax CREATE TABLE <table_name> AS SELECT.
CVE-2018-2500
PUBLISHED: 2018-12-11
Under certain conditions SAP Mobile Secure Android client (before version 6.60.19942.0 SP28 1711) allows an attacker to access information which would otherwise be restricted.