A key differentiator for application security testing solutions (AST) is the ROI that each method brings to the organization. How much time can be saved? How much money can your organization save during remediation? When vulnerabilities make it past the development stage and onto production, how many different departments need to be involved in remediation efforts? These are all questions that need to be considered when deciding which security solution brings the most value to your organization.
AST ROI can be measured in terms of cost of company resources in dollars, personnel and time needed to remediate detected vulnerabilities.
The developer’s proximity to the problematic code makes a difference
For developers writing 50 of the lines of production code (LoC) per day, the price for “bolting-on” security at the end of the development cycle is critical. For a two week turnaround time from when the code was written to when it is sent back to developers for mitigation- that time can feel like eternity. By this time, the developer may be 500 LoC away from when they started.
The earlier that security is addressed in the software development lifecycle, the less time and company resources are wasted on mitigation as developers are still familiar with the code that needs to be fixed.
Click to enlarge
Shifting security left frees up valuable company resources
In addition to ensuring that developers are able to remediate vulnerabilities on code that they’re familiar with, shifting security left also lessens the amount of personnel needed to help mitigate the damage (or potential damage) of the flaw. The later in the development process that a vulnerability is discovered, the more departments, teams and personnel are needed to mitigated both the code flaw and any damage to the organizations’ reputation and release schedules.
How shifting security left with Checkmarx makes a big impact the bottom line
According to the Ponemon Institute, vulnerabilities detected on production cost 100 times more to remediate than those discovered in the design stage of development in the SDLC, where Checkmarx identifies them.
Shifting left with Checkmarx’s CxSAST allows automation at every step in the software development stages which translates into savings at every integration point in the SDLC as the costly resources that need to be invested in vulnerability detection are significantly reduced.
Checkmarx includes the ability to incrementally scan only new, or edited, code which also adds savings as scan times are reduced and there is no need to scan millions of lines of code when minor changes are made, as needed with other solutions.
Translating theories into dollars: Calculating the savings of using Checkmarx’s “Best Fix Location”
Checkmarx’s “Best Fix Location” maps the data-flow from input to sink and identifies critical nodes where multiple attack vectors converge enabling you to eliminate multiple vulnerabilities with a single fix.
This feature saves developer time and reduces company costs, but can you put a dollar value on its ROI?
We did, and so can your organization. Below is a video walkthrough of how to calculate the costs savings of Checkmarx’s “Best Fix Location” with our Global Director of Application Security Strategy, Matt Rose.
Click here to read our full “ROI of Shifting Left” datasheet [PDF].