Upload
aralikatte
View
225
Download
0
Embed Size (px)
Citation preview
8/3/2019 Security Testing Market
http://slidepdf.com/reader/full/security-testing-market 1/8
www.datamonitor.com/technology
Software Security Testing Markets
Ensuring security by design
A Datamonitor report
Published: Jul-05 Product Code: DMTC1091
Use this report to...
Gain realistic forecasts of the revenues services firms and tool
vendors can expect to generate
from the market over the next four
years
Providing you with:
• Examination of the market for software
security testing tools and services among
the ISV and internal end-user IT
departments
• Analysis of the key drivers and inhibitors
for such solutions and the differences
between the effectiveness of the two
approaches
• Findings of a survey of ISVs that
investigates their security testing programsincluding who draws up policies and their
propensity to outsource
• Identification of the key vendors and
services providers in the software security
testing marketplace and core areas of
focus in the market
8/3/2019 Security Testing Market
http://slidepdf.com/reader/full/security-testing-market 2/8
Software Security Testing Markets – Ensuring security by design
DMTC1091
Many IT security attacks such as viruses, worms and
hacker attacks exploit vulnerabilities within commercially-
available software and operating systems. As a result,
customers are increasingly putting pressure on ISVs and
equipment manufacturers to reduce the number of
vulnerabilities within their solutions before they are shipped
and introduce a greater degree of security functionality.
The strong understanding among end users of the need for greater overall IT
security has benefited the security testing market two-fold. Firstly, it has prompted a
greater use of tools and services within the organizations as they seek to improve
the security of the applications that they build in-house to support their businessprocesses. Secondly, it has led to many putting even greater pressure on the ISV
community to produce software products with fewer security flaws – with the threat
of taking their business elsewhere ever-present.
• Gain realistic forecasts of the revenues services firms and tool vendors can
expect to generate from the market over the next four years
• Obtain an independent view of which vendors and services firms are most likely
to meet customer expectations
• Know actionable recommendations as to the best approaches to take to
increase market share
Introduction
Reasons to buy
• At the moment, among ISVs particularly, security testing is most commonly part
of the overall QA process because the areas are mutually complementary.
Indeed, some quality assurance tools are currently being used for security
purposes – such as load balancing and strain-test tools being used to simulated
denial of service conditions.
• As the number of vulnerabilities in a product will ultimately determine the
perception of the quality of a solution, it is unsurprising that up to now most
product testers have grouped the two areas together. A drawback to this
approach is that, by not separating out the two areas, it is possible that not
enough attention is given to security.
• Certainly security and functionality sometimes conflict and it is important to
balance both rather than have one rule out the other. The danger is that by not
looking at them in separate lights, security gaps may be missed because the
developer is not looking for problems with the right mind-set.
Key findings and highlights
Contact us...From Europe: tel: +44 20 7675 7258 fax: +44 20 7675 7016 email: [email protected]
From Germany: tel: +49 69 9750 3119 fax: +49 69 9750 3320 email: [email protected]
From the US: tel: +1 212 686 7400 fax: +1 212 686 2626 email: [email protected]
From Asia Pacific: tel: +61 2 9006 1526 fax: +61 2 9006 1559 email: [email protected]
8/3/2019 Security Testing Market
http://slidepdf.com/reader/full/security-testing-market 3/8
Request more sample pages...for FREE! From Europe: tel: +44 20 7675 7258 fax: +44 20 7675 7016 email: [email protected]
From Germany: tel: +49 69 9750 3119 fax: +49 69 9750 3320 email: [email protected]
From the US: tel: +1 212 686 7400 fax: +1 212 686 2626 email: [email protected]
From Asia Pacific: tel: +61 2 9006 1526 fax: +61 2 9006 1559 email: [email protected]
Sample pages from the report
Competitive dynamics
Improving software security DMTC1091
© Datamonitor (Published June 2005) Page 52
This report is a licensed product and is not to be photocopied
this area include: Symantec (@Stake), AppLabs, Paladion Networks and Security
Innovation.
Competitor profile: @Stake (Symantec)
When Symantec, best known for its anti-virus solutions, bought @Stake, one of the
leading cerebral security consulting services firms, the analyst community held its
breath to see whether some of its more hard-core elements such as its software
security code review services would be reduced or discarded. Luckily for the wider
community (and indeed for Symantec’s development as a thought-leader in the
enterprise security space) Symantec took the decision to continue this practice and,indeed, increasingly adopt such services internally to ensure that the products
designed for security and enterprise systems were themselves not open to attack.
As a software security testing and penetration testing firm, @Stake feels that its key
strength is that it looks at security from an application developer's point of view —
something it feels is rare in the market. Essentially, because software is developed in
a number of stages — the so-called ’waterfall model‘, @Stake looks at each stage of
this life-cycle model and has created a set of processes and actions for each stage.
This model is clearly popular with both the ISV and end-user developer communities,
with @Stake serving four out of the top ten ISVs and seven of the top ten financial
services institutions. @Stake has also found that training is a popular option because
many developers know that they do not fully understand where potential
vulnerabilities can arise. Indeed, @Stake trained over 4,000 developers in 2004.
For @Stake, 2005 and 2006 will be big years for this sector, as the strong desire for
security leads to action within end-users and ISVs alike. Currently, the focus is very
much on the services side, because it feels that the tools market is currently
underdeveloped. While tools are useful as a basis for a larger testing process, if they
are applied specifically then that can become a hindrance, because of high false
positive rates and even false negatives, whereby the solutions miss things
altogether. The market for tools is, however, likely to mature over time and as tools
become more effective they will gradually become more popular – as they have
within the wider quality assurance market. Because @Stake has internally developed
a number of tools to help it carry out its service engagements, the opportunity existsfor launching a commercial product range in the future, as customer needs and
demand evolves.
Customer dynamics
Improving software security DMTC1091
© Datamonitor (Published June 2005) Page 43
This report is a licensed product and is not to be photocopied
used internally developed processes to test their software for holes that could
compromise the integrity of their software.
With only six organizations stating that they used external processes, it would
suggest that in-house testing procedures using internal tools and processes and
external tools is more popular. The large number of people that refused to answer this
question, however, means that such ISVs may in fact use third-party processes but
do not want to reveal this for internal policy reasons.
Outsourcing part of the security testing process
Figure 15: Is any software security testing outsourced?
No
82%
Yes
18%
Source: Datamonitor D A T A MO N I T O R
Over time, many organizations get to the stage where they fundamentally understand
that they have reached the limits of internaldevelopment and that they need external
assistance. This may be because either cost pressures make it impossible to get the
right staff or the sheer number of flaws discovered leads ISVs to the conclusion that
they are just not getting it right internally. Datamonitor therefore sought to determine
whether or not this practice was widespread within the ISV community.
The results of this question reveal that, overall, outsourcing part of the security testing
and quality assurance process is not currently commonplace, with only 18% of the
Market context
Improving software security DMTC1091
© Datamonitor (Published June 2005) Page 26
This report is a licensed product and is not to be photocopied
place first for these tools to be effective. They also believe that ’naked eye‘ testing will
always be a vital part of the code testing process. Having said that, one services
provider, AppLabs, believes that tools are very important – with AppLabs
’productizing‘ a number of open source tools by building processes and a set of
capable people around specific tools. As a result, AppLabs believes that it is not
always possible to separate the services and tools market from a market sizing
perspective.
Relying on tools alone can be dangerous, however. To use them effectively you need
to have the knowledge in-house. The best methodology that experts recommend is to
decide which vulnerabilities you are looking for and then use the right tools to
determine them afterwards. AppLabs states that it has no good reason to usecommercially available tools when open source tools are available.
Figure 3: The ‘holy trinity’ of software security testing
The ‘holy
trinity’ of
software
security
testing
People
Internal team / new hires
Outsourced coders
Third-party testing organizations
Technologies
Internally developed tools
Open source tools
Commercially developed tools
Processes
Internally developed processes
Standards-based approach
Third-party methodologies
The ‘holy
trinity’ of
software
security
testing
People
Internal team / new hires
Outsourced coders
Third-party testing organizations
Technologies
Internally developed tools
Open source tools
Commercially developed tools
Processes
Internally developed processes
Standards-based approach
Third-party methodologies
Source: Datamonitor D A T A MO N I T O R
In terms of tools another professional services firm, the Symantec subsidiary @Stake,
believes that, as many processes become repeatable, then the use of tools will
become more commonplace. Tools are useful for developing a set number of
processes but it is dangerous to rely overly on them. Developers doing this can often
incur a large number of false positive or may miss flaws completely. @Stake itself has
internally developed a number of tools for its own processes and may productize
www.datamonitor.com/technology
8/3/2019 Security Testing Market
http://slidepdf.com/reader/full/security-testing-market 4/8
COMPETITIVE DYNAMICS
• Traditional application quality testing software
vendors
- Competitor profile: Segue Software
• Dedicated security testing tool vendors
- Competitor profile: Kavado
• Systems integrators and accreditation houses
- Competitor profile: SIVenture
• Dedicated software security testing services firms
- Competitor profile: @Stake (Symantec)
• Conclusions
ACTION POINTS
• Introduction
• Action points
• Action point one: push customers to treat security
testing as a stand-alone activity in the quality
assurance process
• Action point two: develop a wide, modular portfolio of
different tools and services for each stage of the
software development life-cycle
• Action point three: software security testing tool
vendors should develop professional services
capabilities and vice versa
• Action point four: for software security testing services
firms, the potential kite-marking benefits of their
solutions should be heavily promoted
• Action point five: software security testing firms should
view ISVs as potential gateways to the wider end-user
developer community
APPENDIX
TABLES
Table 1: Global software security testing products and
services markets, 2004-2008 ($m)
Table 2: Global software security testing products and
services markets by customer-type, 2004-2008
($m)
Table of contents
INTRODUCTION
MARKET CONTEXT
• Introduction
• Key findings
• Key market drivers
• The causes of software security flaws
• The importance of standards
- Common criteria
- ITSEC
• Dealing with upgrades and new releases• Evaluators
• Other standards
• Tools vs services
• ISVs and internal developers
- Internal developers
• Market sizing
• The global market size by type of customer
• Global software security testing product revenues
• Software security testing services revenues
• Conclusions
CUSTOMER DYNAMICS
• Introduction
• Key findings
- Formal software security testing programs
- Software security testing policy decision-makers
- Policy information sources
- Key testing focus areas
- Security testing as part of the quality assurance
process
- Security as a separate budgeted activity
- Tools and processes used for software security
testing- Outsourcing part of the security testing process
- A shift towards outsourcing?
- Software security testing partners
• Conclusions
Software Security Testing Markets – Ensuring security by design
DMTC1091
“...As CIOs begin to understand the nature of the threats that they face, many are now pointing a finger of blame at the ISV community for leaving the holes
that hackers and virus authors exploit in the first place...”
Software Security Testing Markets
8/3/2019 Security Testing Market
http://slidepdf.com/reader/full/security-testing-market 5/8
Table 3: Global software security testing products
markets by customer-type, 2004-2008 ($m)
Table 4: Global software security testing services
markets by customer-type, 2004-2008 ($m)
FIGURES
Figure 1: Global software security testing products and
services markets, 2004-2008 ($m)
Figure 2: Common Criteria assurance levels
Figure 3: The 'holy trinity' of software security testingFigure 4: Global software security testing products and
services markets, 2004-2008 ($m)
Figure 5: Global software security testing products and
services markets by customer-type, 2004-2008
($m)
Figure 6: Global software security testing products
markets by customer-type, 2004-2008 ($m)
Figure 7: Global software security testing services
markets by customer-type, 2004-2008 ($m)
Figure 8: Does your company have a formal software
security testing program?Figure 9: Who is responsible for creating the security
software testing policy?
Figure 10: What information sources did you use to draw
up your security testing policy?
Figure 11: What are the principal areas of focus for the
security program?
Figure 12: Is software security testing a part of the
standard quality assurance process?
Figure 13: Is security testing a separate, budgeted
activity? If not, when is this planned?
Figure 14: What tools and processes are currently used toeliminate security holes?
Figure 15: Is any software security testing outsourced?
Figure 16: How will your use of third-party services for
software security testing change?
Figure 17: Who are your specific software security testing
partners?
Figure 18: Datamonitor's market expertise and research
and analysis methodology
“...While anti-virus and firewall solutions can do much to protect organizations from IT security breaches, they can further improve resilience by selecting
more stable and secure applications and operating systems to support their business processes...”
Software Security Testing Markets
www.datamonitor.com/technology
8/3/2019 Security Testing Market
http://slidepdf.com/reader/full/security-testing-market 6/8
Software Security Testing Markets – Ensuring security by design
DMTC1091
Source: Datamonitor Customer Research
89% of our clients use Datamonitor research to develop competitive intelligence
Datamonitor: Your total information solution
Corporate Strategy& Business Planning
Product Development
& Commercialization
Targeting &
Influencing the Market
Market &
Competitive Intelligence
Datamonitor is a premium business information company helping 5,000 of the
world's leading companies across the Automotive, Consumer Markets, Energy,
Financial Services, Healthcare and Technology sectors.
Our products and services are specifically designed to support our clients’ key
business processes – from corporate strategy to competitive intelligence. We
provide an independent and trustworthy source of data, analysis and forecasts to
improve these processes and ultimately, to help grow your business.
Quality
Data
Expert
Analysis
Future
Forecasts
HELPING
TO GROW
YOUR
BUSINESS
Make more effective strategic
and business decisions
Accelerate delivery
of commercial success
Assess and influence your
commercial and market
environment
Maintain or obtain critical
competitive advantage
ACI
Atos Origin
Avaya Communications
Blue Pumpkin
BSKYB
BT
Bull
Chello
Cisco
CMG
Computer Associates
Convergys
CSC Financial Services
Deutsche Telekom
Diamond Cluster
EDS
Ericsson
Eyretel
France Telecom
Gemplus
Genesys
Hewlett Packard
IBM
Infogrames
Intel
Intervoice
KPN Mobile
Manugistics
Microsoft
Mitel Telecom
NCR
Nice Systems
Oberthur
Philips
S1 Corporation
Samsung
SAP
Sega
Setec
Siemens AG
Sonera
Sony
Staffware
Sun Microsystems
Sungard
Telefonica Moviles
Teleperformance
Thales
Thus
Unisys
Vivendi
No-one speaks louder than our clients
8/3/2019 Security Testing Market
http://slidepdf.com/reader/full/security-testing-market 7/8
Other reports available in this series
Datamonitor's Enterprise Security Strategic Planning
Program (SPP) is a tailored, continuous advisory service
combining a number of information sources.
IT security is growing as a proportion of technology spending as organizations
become more aware of the threats to their IT systems. This SPP covers all of the
major security products including firewalls, intrusion detection systems, anti-virus
tools and public key infrastructure solutions. The SPP also analyzes IT security
professional services including consulting, integration, education, training and
managed services.
Interested in this topic?
www.datamonitor.com/technology
Subscribe to MonitorA monthly update of Datamonitor's new products, delivered to you by email.
Email: [email protected]
For more information on reports and briefs go to: www.datamonitor.com/technology
Security Information Management: Is It Either Software or Managed Security
Services?
Security information management has become a hot topic over the past 18 months with a
number of software and services firms offering a number of different ways of centralizing
security monitoring and making sense of the security information overkill
Published: Jan-05 Product code: DMTC1080
Evolving Enterprise Security Spending Trends
Analyzes enterprise security spending trends
Published: Nov-04 Product code: DMTC1015
Email Filtering Services
Gauges the rapidly expanding email services market, which has so far been dominated by a
number of relatively small, specialist service providers and the likely evolution of the market
going forwards
Published: Jul-04 Product code: BFTC0962
IT Security in US Higher Education
Looks at the main concerns of higher education institutions in the US and where they are
spending their security budgets
Published: Jul-04 Product code: BFTC1008
8/3/2019 Security Testing Market
http://slidepdf.com/reader/full/security-testing-market 8/8
www.datamonitor.com/technology
Place your order now...
Fax back to +44 20 7675 7016 (from Europe) or 212 686 2626 (from the US)
Complete payment details:
Please indicate your preferred currency option: UK£ Euro€ US$ Yen¥
I enclose a check payable to Datamonitor plc for _________ (+ p+p $30 UK / $60 rest of world)
Please invoice my company for _______________________ (+ p+p $30 UK / $60 rest of world)
Please debit my credit/charge card
Amex Visa Diners Mastercard
Card No ______________________________________________________________________
Expiry Date _________ / _________ Cardholder Signature ___________________________
Cardholder address____________________________________________________________
Please supply purchase order number here if required by your accounts department:
_____________________________________________________________________________
EU companies (except UK) must supply: VAT / BTW / MOMS / MWST / IVA / FPA number:
___________________________________________________________________________________________
Sign below to confirm your order:
_____________________________________________________________________
I do not want to receive future mailings from Datamonitor and its related companies.
Occasionally, our client list is made available to other companies for carefully selected mailings.
Please check here if you do not wish to receive such mailings.
Complete your details:
ame
ob Title
Department
Company
ddress
tate/Province
ost Code/ZIP
Country
el
axDatamonitor products and services are supplied under Datamonitor’s standard terms and conditions,
copies of which are available on request. Payment must be received within 28 days of receipt of invoice.
I would like to order:
Product title Product code Price £ / € / $ / ¥ *
__________________________________________________________________ ___________________ __________________
__________________________________________________________________ ___________________ __________________
__________________________________________________________________ ___________________ __________________
__________________________________________________________________ ___________________ __________________
__________________________________________________________________ ___________________ __________________
__________________________________________________________________ ___________________ __________________
__________________________________________________________________ ___________________ __________________
__________________________________________________________________ ___________________ __________________
DMTC1091WEB
From Europe: tel: +44 20 7675 7258 fax: +44 20 7675 7016 email: [email protected] Germany: tel: +49 69 9750 3119 fax: +49 69 9750 3320 email: [email protected]
From the US: tel: +1 212 686 7400 fax: +1 212 686 2626 email: [email protected]
From Asia Pacific: tel: +61 2 9006 1526 fax: +61 2 9006 1559 email: [email protected]
Contact us to find out more about our products and services
* Please refer to our website www.datamonitor.com for up-to-date prices