security testing market

8/3/2019 Security Testing Market

http://slidepdf.com/reader/full/security-testing-market 1/8

www.datamonitor.com/technology

Software Security Testing Markets

Ensuring security by design

A Datamonitor report

Published: Jul-05 Product Code: DMTC1091

Use this report to...

Gain realistic forecasts of the revenues services firms and tool

vendors can expect to generate

from the market over the next four

years

Providing you with:

• Examination of the market for software

security testing tools and services among

the ISV and internal end-user IT

departments

• Analysis of the key drivers and inhibitors

for such solutions and the differences

between the effectiveness of the two

approaches

• Findings of a survey of ISVs that

investigates their security testing programsincluding who draws up policies and their

propensity to outsource

• Identification of the key vendors and

services providers in the software security

testing marketplace and core areas of

focus in the market



Software Security Testing Markets – Ensuring security by design

DMTC1091

Many IT security attacks such as viruses, worms and

hacker attacks exploit vulnerabilities within commercially-

available software and operating systems. As a result,

customers are increasingly putting pressure on ISVs and

equipment manufacturers to reduce the number of

vulnerabilities within their solutions before they are shipped

and introduce a greater degree of security functionality.

The strong understanding among end users of the need for greater overall IT

security has benefited the security testing market two-fold. Firstly, it has prompted a

greater use of tools and services within the organizations as they seek to improve

the security of the applications that they build in-house to support their businessprocesses. Secondly, it has led to many putting even greater pressure on the ISV

community to produce software products with fewer security flaws – with the threat

of taking their business elsewhere ever-present.

• Gain realistic forecasts of the revenues services firms and tool vendors can

expect to generate from the market over the next four years

• Obtain an independent view of which vendors and services firms are most likely

to meet customer expectations

• Know actionable recommendations as to the best approaches to take to

increase market share

Introduction

Reasons to buy

• At the moment, among ISVs particularly, security testing is most commonly part

of the overall QA process because the areas are mutually complementary.

Indeed, some quality assurance tools are currently being used for security

purposes – such as load balancing and strain-test tools being used to simulated

denial of service conditions.

• As the number of vulnerabilities in a product will ultimately determine the

perception of the quality of a solution, it is unsurprising that up to now most

product testers have grouped the two areas together. A drawback to this

approach is that, by not separating out the two areas, it is possible that not

enough attention is given to security.

• Certainly security and functionality sometimes conflict and it is important to

balance both rather than have one rule out the other. The danger is that by not

looking at them in separate lights, security gaps may be missed because the

developer is not looking for problems with the right mind-set.

Key findings and highlights

Contact us...From Europe: tel: +44 20 7675 7258 fax: +44 20 7675 7016 email: [email protected]

From Germany: tel: +49 69 9750 3119 fax: +49 69 9750 3320 email: [email protected]

From the US: tel: +1 212 686 7400 fax: +1 212 686 2626 email: [email protected]

From Asia Pacific: tel: +61 2 9006 1526 fax: +61 2 9006 1559 email: [email protected]



Request more sample pages...for FREE! From Europe: tel: +44 20 7675 7258 fax: +44 20 7675 7016 email: [email protected]

From Germany: tel: +49 69 9750 3119 fax: +49 69 9750 3320 email: [email protected]



Sample pages from the report

Competitive dynamics

Improving software security DMTC1091

© Datamonitor (Published June 2005) Page 52

This report is a licensed product and is not to be photocopied

this area include: Symantec (@Stake), AppLabs, Paladion Networks and Security

Innovation.

Competitor profile: @Stake (Symantec)

When Symantec, best known for its anti-virus solutions, bought @Stake, one of the

leading cerebral security consulting services firms, the analyst community held its

breath to see whether some of its more hard-core elements such as its software

security code review services would be reduced or discarded. Luckily for the wider

community (and indeed for Symantec’s development as a thought-leader in the

enterprise security space) Symantec took the decision to continue this practice and,indeed, increasingly adopt such services internally to ensure that the products

designed for security and enterprise systems were themselves not open to attack.

As a software security testing and penetration testing firm, @Stake feels that its key

strength is that it looks at security from an application developer's point of view —

something it feels is rare in the market. Essentially, because software is developed in

a number of stages — the so-called ’waterfall model‘, @Stake looks at each stage of

this life-cycle model and has created a set of processes and actions for each stage.

This model is clearly popular with both the ISV and end-user developer communities,

with @Stake serving four out of the top ten ISVs and seven of the top ten financial

services institutions. @Stake has also found that training is a popular option because

many developers know that they do not fully understand where potential

vulnerabilities can arise. Indeed, @Stake trained over 4,000 developers in 2004.

For @Stake, 2005 and 2006 will be big years for this sector, as the strong desire for

security leads to action within end-users and ISVs alike. Currently, the focus is very

much on the services side, because it feels that the tools market is currently

underdeveloped. While tools are useful as a basis for a larger testing process, if they

are applied specifically then that can become a hindrance, because of high false

positive rates and even false negatives, whereby the solutions miss things

altogether. The market for tools is, however, likely to mature over time and as tools

become more effective they will gradually become more popular – as they have

within the wider quality assurance market. Because @Stake has internally developed

a number of tools to help it carry out its service engagements, the opportunity existsfor launching a commercial product range in the future, as customer needs and

demand evolves.

Customer dynamics




used internally developed processes to test their software for holes that could

compromise the integrity of their software.

With only six organizations stating that they used external processes, it would

suggest that in-house testing procedures using internal tools and processes and

external tools is more popular. The large number of people that refused to answer this

question, however, means that such ISVs may in fact use third-party processes but

do not want to reveal this for internal policy reasons.

Outsourcing part of the security testing process

Figure 15: Is any software security testing outsourced?

No

82%

Yes

18%

Source: Datamonitor D A T A MO N I T O R

Over time, many organizations get to the stage where they fundamentally understand

that they have reached the limits of internaldevelopment and that they need external

assistance. This may be because either cost pressures make it impossible to get the

right staff or the sheer number of flaws discovered leads ISVs to the conclusion that

they are just not getting it right internally. Datamonitor therefore sought to determine

whether or not this practice was widespread within the ISV community.

The results of this question reveal that, overall, outsourcing part of the security testing

and quality assurance process is not currently commonplace, with only 18% of the

Market context




place first for these tools to be effective. They also believe that ’naked eye‘ testing will

always be a vital part of the code testing process. Having said that, one services

provider, AppLabs, believes that tools are very important – with AppLabs

’productizing‘ a number of open source tools by building processes and a set of

capable people around specific tools. As a result, AppLabs believes that it is not

always possible to separate the services and tools market from a market sizing

perspective.

Relying on tools alone can be dangerous, however. To use them effectively you need

to have the knowledge in-house. The best methodology that experts recommend is to

decide which vulnerabilities you are looking for and then use the right tools to

determine them afterwards. AppLabs states that it has no good reason to usecommercially available tools when open source tools are available.

Figure 3: The ‘holy trinity’ of software security testing

The ‘holy

trinity’ of

software

security

testing

People

Internal team / new hires

Outsourced coders

Third-party testing organizations

Technologies

Internally developed tools

Open source tools

Commercially developed tools

Processes

Internally developed processes

Standards-based approach

Third-party methodologies

The ‘holy

trinity’ of

software

security

testing

People

Internal team / new hires

Outsourced coders

Third-party testing organizations

Technologies

Internally developed tools

Open source tools

Commercially developed tools

Processes

Internally developed processes

Standards-based approach

Third-party methodologies

Source: Datamonitor D A T A MO N I T O R

In terms of tools another professional services firm, the Symantec subsidiary @Stake,

believes that, as many processes become repeatable, then the use of tools will

become more commonplace. Tools are useful for developing a set number of

processes but it is dangerous to rely overly on them. Developers doing this can often

incur a large number of false positive or may miss flaws completely. @Stake itself has

internally developed a number of tools for its own processes and may productize




COMPETITIVE DYNAMICS

• Traditional application quality testing software

vendors

- Competitor profile: Segue Software

• Dedicated security testing tool vendors

- Competitor profile: Kavado

• Systems integrators and accreditation houses

- Competitor profile: SIVenture

• Dedicated software security testing services firms

- Competitor profile: @Stake (Symantec)

• Conclusions

ACTION POINTS

• Introduction

• Action points

• Action point one: push customers to treat security

testing as a stand-alone activity in the quality

assurance process

• Action point two: develop a wide, modular portfolio of

different tools and services for each stage of the

software development life-cycle

• Action point three: software security testing tool

vendors should develop professional services

capabilities and vice versa

• Action point four: for software security testing services

firms, the potential kite-marking benefits of their

solutions should be heavily promoted

• Action point five: software security testing firms should

view ISVs as potential gateways to the wider end-user

developer community

APPENDIX

TABLES

Table 1: Global software security testing products and

services markets, 2004-2008 ($m)

Table 2: Global software security testing products and

services markets by customer-type, 2004-2008

($m)

Table of contents

INTRODUCTION

MARKET CONTEXT

• Introduction

• Key findings

• Key market drivers

• The causes of software security flaws

• The importance of standards

- Common criteria

- ITSEC

• Dealing with upgrades and new releases• Evaluators

• Other standards

• Tools vs services

• ISVs and internal developers

- Internal developers

• Market sizing

• The global market size by type of customer

• Global software security testing product revenues

• Software security testing services revenues

• Conclusions

CUSTOMER DYNAMICS

• Introduction

• Key findings

- Formal software security testing programs

- Software security testing policy decision-makers

- Policy information sources

- Key testing focus areas

- Security testing as part of the quality assurance

process

- Security as a separate budgeted activity

- Tools and processes used for software security

testing- Outsourcing part of the security testing process

- A shift towards outsourcing?

- Software security testing partners

• Conclusions


DMTC1091

“...As CIOs begin to understand the nature of the threats that they face, many are now pointing a finger of blame at the ISV community for leaving the holes

that hackers and virus authors exploit in the first place...”




Table 3: Global software security testing products

markets by customer-type, 2004-2008 ($m)

Table 4: Global software security testing services


FIGURES

Figure 1: Global software security testing products and


Figure 2: Common Criteria assurance levels

Figure 3: The 'holy trinity' of software security testingFigure 4: Global software security testing products and


Figure 5: Global software security testing products and

services markets by customer-type, 2004-2008

($m)

Figure 6: Global software security testing products


Figure 7: Global software security testing services


Figure 8: Does your company have a formal software

security testing program?Figure 9: Who is responsible for creating the security

software testing policy?

Figure 10: What information sources did you use to draw

up your security testing policy?

Figure 11: What are the principal areas of focus for the

security program?

Figure 12: Is software security testing a part of the

standard quality assurance process?

Figure 13: Is security testing a separate, budgeted

activity? If not, when is this planned?

Figure 14: What tools and processes are currently used toeliminate security holes?

Figure 15: Is any software security testing outsourced?

Figure 16: How will your use of third-party services for

software security testing change?

Figure 17: Who are your specific software security testing

partners?

Figure 18: Datamonitor's market expertise and research

and analysis methodology

“...While anti-virus and firewall solutions can do much to protect organizations from IT security breaches, they can further improve resilience by selecting

more stable and secure applications and operating systems to support their business processes...”






DMTC1091

Source: Datamonitor Customer Research

89% of our clients use Datamonitor research to develop competitive intelligence

Datamonitor: Your total information solution

Corporate Strategy& Business Planning

Product Development

& Commercialization

Targeting &

Influencing the Market

Market &

Competitive Intelligence

Datamonitor is a premium business information company helping 5,000 of the

world's leading companies across the Automotive, Consumer Markets, Energy,

Financial Services, Healthcare and Technology sectors.

Our products and services are specifically designed to support our clients’ key

business processes – from corporate strategy to competitive intelligence. We

provide an independent and trustworthy source of data, analysis and forecasts to

improve these processes and ultimately, to help grow your business.

Quality

Data

Expert

Analysis

Future

Forecasts

HELPING

TO GROW

YOUR

BUSINESS

Make more effective strategic

and business decisions

Accelerate delivery

of commercial success

Assess and influence your

commercial and market

environment

Maintain or obtain critical

competitive advantage

ACI

Atos Origin

Avaya Communications

Blue Pumpkin

BSKYB

BT

Bull

Chello

Cisco

CMG

Computer Associates

Convergys

CSC Financial Services

Deutsche Telekom

Diamond Cluster

EDS

Ericsson

Eyretel

France Telecom

Gemplus

Genesys

Hewlett Packard

IBM

Infogrames

Intel

Intervoice

KPN Mobile

Manugistics

Microsoft

Mitel Telecom

NCR

Nice Systems

Oberthur

Philips

S1 Corporation

Samsung

SAP

Sega

Setec

Siemens AG

Sonera

Sony

Staffware

Sun Microsystems

Sungard

Telefonica Moviles

Teleperformance

Thales

Thus

Unisys

Vivendi

No-one speaks louder than our clients



Other reports available in this series

Datamonitor's Enterprise Security Strategic Planning

Program (SPP) is a tailored, continuous advisory service

combining a number of information sources.

IT security is growing as a proportion of technology spending as organizations

become more aware of the threats to their IT systems. This SPP covers all of the

major security products including firewalls, intrusion detection systems, anti-virus

tools and public key infrastructure solutions. The SPP also analyzes IT security

professional services including consulting, integration, education, training and

managed services.

Interested in this topic?


Subscribe to MonitorA monthly update of Datamonitor's new products, delivered to you by email.

Email: [email protected]

For more information on reports and briefs go to: www.datamonitor.com/technology

Security Information Management: Is It Either Software or Managed Security

Services?

Security information management has become a hot topic over the past 18 months with a

number of software and services firms offering a number of different ways of centralizing

security monitoring and making sense of the security information overkill

Published: Jan-05 Product code: DMTC1080

Evolving Enterprise Security Spending Trends

Analyzes enterprise security spending trends

Published: Nov-04 Product code: DMTC1015

Email Filtering Services

Gauges the rapidly expanding email services market, which has so far been dominated by a

number of relatively small, specialist service providers and the likely evolution of the market

going forwards

Published: Jul-04 Product code: BFTC0962

IT Security in US Higher Education

Looks at the main concerns of higher education institutions in the US and where they are

spending their security budgets

Published: Jul-04 Product code: BFTC1008




Place your order now...

Fax back to +44 20 7675 7016 (from Europe) or 212 686 2626 (from the US)

Complete payment details:

Please indicate your preferred currency option: UK£ Euro€ US$ Yen¥

I enclose a check payable to Datamonitor plc for _________ (+ p+p $30 UK / $60 rest of world)

Please invoice my company for _______________________ (+ p+p $30 UK / $60 rest of world)

Please debit my credit/charge card

Amex Visa Diners Mastercard

Card No ______________________________________________________________________

Expiry Date _________ / _________ Cardholder Signature ___________________________

Cardholder address____________________________________________________________

Please supply purchase order number here if required by your accounts department:

_____________________________________________________________________________

EU companies (except UK) must supply: VAT / BTW / MOMS / MWST / IVA / FPA number:

___________________________________________________________________________________________

Sign below to confirm your order:

_____________________________________________________________________

I do not want to receive future mailings from Datamonitor and its related companies.

Occasionally, our client list is made available to other companies for carefully selected mailings.

Please check here if you do not wish to receive such mailings.

Complete your details:

ame

ob Title

Department

Company

ddress

tate/Province

ost Code/ZIP

Country

mail

el

axDatamonitor products and services are supplied under Datamonitor’s standard terms and conditions,

copies of which are available on request. Payment must be received within 28 days of receipt of invoice.

I would like to order:

Product title Product code Price £ / € / $ / ¥ *

__________________________________________________________________ ___________________ __________________

__________________________________________________________________ ___________________ __________________

__________________________________________________________________ ___________________ __________________

__________________________________________________________________ ___________________ __________________

__________________________________________________________________ ___________________ __________________

__________________________________________________________________ ___________________ __________________

__________________________________________________________________ ___________________ __________________

__________________________________________________________________ ___________________ __________________

DMTC1091WEB

From Europe: tel: +44 20 7675 7258 fax: +44 20 7675 7016 email: [email protected] Germany: tel: +49 69 9750 3119 fax: +49 69 9750 3320 email: [email protected]



Contact us to find out more about our products and services

* Please refer to our website www.datamonitor.com for up-to-date prices

security testing market

Documents