Operations

3/7/2018
10:30 AM
Ayman Sayed
Ayman Sayed
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Security-Driven Companies Are More Successful

Software Security Masters are better at handling application development security and show much higher growth than their peers. Here's how to become one.

Strong revenue streams, adoring customers, and inspiring leaders are the usual hallmarks of a well-run business. When investors look to new companies to support, these factors are the ones that show whether a business will succeed or fail. Recently released research shows that business analysts should add one more: secure software.

A Freeform Dynamics survey (commissioned by CA Technologies) discovered an elite class of businesses that have ingrained security into their operations — deemed "Software Security Masters." They make up approximately one-third of the enterprises surveyed and include those that are better at handling application development security.

These Software Security Masters are more likely than their mainstream peers to see effective security as an enabler of increased business performance. This manifests itself in the form of superior metrics and outcomes in relation to software delivery. It is no coincidence that these organizations are seeing 40% higher revenue growth and 50% higher profit growth than their mainstream peers.

So, how do businesses tap into the benefits these Masters are seeing?

The trick is to make security a part of the DNA of the business and its operations. When businesses fall on hard times, executives turn to cut budgets on apparent luxuries, which they may imagine include security. This approach only helps in the short term as it creates a debt of security problems that will need to be fixed later.

Take a look at vulnerabilities from the chip manufacturers in Spectre and Meltdown — vulnerabilities that go back 20 years, despite only being discovered this year. These chips were developed based on a certain set of organizational priorities — processor speed and frequent deployments to outpace Moore's Law — with little or no concern for security.

Organizational culture has an influence on how priorities — which are driven by executives who dictate what matters to them — are executed. If executives see security as a core part of their business, they will avoid accruing this debt and instead look for ways to speed up application development processes because of, not despite, security.

But a successful Security Mastery movement needs to empower more than just executives to look at security differently. Full integration includes the developers. Once they see security as an important part of their organization, they can start to take responsibility for the security of their own code.

The benefits of security integration throughout an entire business allows companies to become more efficient across the board. Shifting security "left" in the development process takes the strain off quality assurance teams that no longer need to identify and fix basic vulnerabilities. Instead, they'll be able to use that time to get updates to customers faster and improve application performance.

With delivery life cycles shortening, it is essential that security becomes embedded into every step of the software life cycle: requirements, gathering, design, code creation, deployment, and operation. Special attention should also be paid to continuous testing capabilities at every step. In order to inject security into the DNA of the DevOps teams, organizations must know the point from where they are starting and begin with a thorough assessment of their current capabilities, strengths, and weaknesses.

Security Mastery is not so much a series of processes as it is an organizational mindset. While the size of this group of Masters may seem random, it appears to be a theme across other areas of innovation as well. Other surveys in this series found similar sized groups of Masters in other areas and elements of application development, such as automation and the ability to respond quickly to changing demands. Overall, it reflects how adopting a mindset of agility in the development life cycle can lead to great results, not only for the end product but also for the whole business.

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ayman Sayed is President and Chief Product Officer at CA Technologies, responsible for the strategy and development of the company's full portfolio of Enterprise products and solutions. His mandate is to focus on building a differentiated product portfolio meant to help CA ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The State of IT and Cybersecurity
The State of IT and Cybersecurity
IT and security are often viewed as different disciplines - and different departments. Find out what our survey data revealed, read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12294
PUBLISHED: 2018-06-19
WebCore/platform/graphics/texmap/TextureMapperLayer.cpp in WebKit, as used in WebKitGTK+ prior to version 2.20.2, is vulnerable to a use after free for a WebCore::TextureMapperLayer object.
CVE-2018-12519
PUBLISHED: 2018-06-19
An issue was discovered in ShopNx through 2017-11-17. The vulnerability allows a remote attacker to upload any malicious file to a Node.js application. An attacker can upload a malicious HTML file that contains a JavaScript payload to steal a user's credentials.
CVE-2018-12588
PUBLISHED: 2018-06-19
Cross-site scripting (XSS) vulnerability in templates/frontend/pages/searchResults.tpl in Public Knowledge Project (PKP) Open Monograph Press (OMP) v1.2.0 through 3.1.1-1 before 3.1.1-2 allows remote attackers to inject arbitrary web script or HTML via the catalog.noTitlesSearch parameter (aka the S...
CVE-2018-10811
PUBLISHED: 2018-06-19
strongSwan 5.6.0 and older allows Remote Denial of Service because of Missing Initialization of a Variable.
CVE-2018-10945
PUBLISHED: 2018-06-19
The mg_handle_cgi function in mongoose.c in Mongoose 6.11 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash, or NULL pointer dereference) via an HTTP request, related to the mbuf_insert function.