Quantifying the Value of Investments in Application SecurityAn ROI White Paper

Table of contentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Executive overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Table 1: Categories for benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Application security requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Table 2: Application security requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5A complete system for application security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Application security summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Table 3: Value offered by each of the functional components of HP Application Security Center . . . . . . . 6HP Software’s ROI approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Figure 1: The HP ROI model approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Table 4: Key components of an ROI-benefit scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Customer data and results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Table 5: ROI example for end-user productivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Example A: End-user productivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Table 6: ROI example for automated security testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Example B: Application security testing for the full software lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Table 7: ROI example for application security audit compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Example C: Internal and external security audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Table 8: ROI example for intellectual capital retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Example D: Intellectual capital retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Consolidating results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Table 9: Consolidating results from ROI-benefit scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

IntroductionWeb application software has become the circulatory system of the global economy . These capabilities manage our financial transactions, track the products in our ports’ shipping containers, monitor a sick person’s vital signs, and a lot more . Innovations in software development are changing our perceptions of the Internet, reshaping enterprises and giving birth to significant new businesses . From Web 2 .0 to Cloud Computing, software is not only driving global change, but it is also dictating the ever increasing pace of that change .

No matter the industry, the enterprise is no doubt impacted by these trends, whether through internal software development initiatives, outsourced development, or through the strategic procurement of commercial software . The goals of creating new markets, gaining a competitive advantage, achieving organizational efficiencies, and communicating efficiently are likely intertwined with companies’ efforts to introduce software innovations .

A key success factor in leveraging the business benefits of software is assuring that it is implemented securely . Standing still is not an option, but failure to take appropriate measures to focus on software quality and security introduces unnecessary risk within your enterprise and often results in a situation where the organization takes one step forward and two steps back .

HP Application Security Center (ASC) solution provides the market’s leading enterprise Web application security solution, enabling organizations to manage and scale their application security testing across the development lifecycle in a highly cost effective manner . The Application Security Center from HP provides a platform that allows customers a consistent means to manage and automate this process, reducing the biggest challenge most enterprises face with a manual approach to Web application security testing .

Our customers tell us that intuitively investing in Application Security Center makes sense but how do we quantify the business value of an investment that withstands investment process scrutiny? This whitepaper explains a systematic approach to building a credible business case and provides real-world examples of the return on investment (ROI) for HP Application Security Center solutions . The examples show substantial cost savings and improved process efficiencies .

Specifically, HP has developed an ROI process and model to quantify the business value of our application security solutions . The HP ROI model is based on first-hand research conducted with our customers and has been validated by HP customers across industry segments . This ROI process and model, along with the related customer examples, can serve as a starting point for building a business case to justify and investment in the application security solution .

3

Executive overviewMalicious attacks targeting Web applications have increased at a rapid pace the last five years, and stories of compromised Websites and applications with thousands of customer records stolen, affecting all industries and all geographies, are in the news every day . The cost and implications to the business of a successful breach are never trivial, and place organizations at considerable risk for damage to business brand and reputation, lost revenue, fines, lawsuits, and non-compliance with government and industry regulations . In several well-known cases, businesses have collapsed and gone bankrupt as the result of successful Web application hacks .

While the spectacular multi-million record breaches garner great attention, research of past data breaches by the Ponemon Institute has established that, on average, a successful hack of an application that results in the loss of just 30,000 customers’ personally identifiable information costs an organization nearly $6 million in internal investigation, customer notification, and regulatory compliance expenses1 .

As these application attacks grow more prevalent and the consequences more severe, the importance of application security has moved to the forefront, and demand for application security software solutions has been growing rapidly . IT executives, application owners, and CIOs know they need to implement

comprehensive Web application security programs to meet compliance requirements and prevent security breaches . However, in today’s business environment, all IT expenditures must be justified in financial terms . Application security solutions are no exception .

To help simplify the process of building a business case for HP Application Security Software solutions, HP has developed a customer-centric ROI framework and process to help our customers understand, quantify, and communicate the value of application security solutions to their business .

HP solutions benefit both line of business, security teams and IT functions . ROI can stem from cost reduction, risk mitigation, or time to value improvements as suggested in Table 1 .

In the examples shown in this document, an HP customer testifies to the ROI they have achieved, with their HP application security software solutions . These examples, coupled with the explanation of the HP ROI approach, are intended to help business managers customize a business case for their unique business situation, quantifying the benefits of application security software in their environment .

1 “2007 Annual Study: Cost of a Data Breach”, Ponemon Institute, November 28, 2007

4

Cost reduction Reduced cost associated with security code reviews, test script creation, test execution, test reporting, and •script maintenance by way of automated application security testing throughout the software lifecycle

Reduced cost associated with manual Website security assessments and scan data consolation through •integrated, automated real-time and scalable Web application security assessments

Reduced cost of application rework through reduced number of outages attributable to application •security defect

Reduced auditing cost through proactive, automatically-scheduled security checks, policy enforcement, •and reporting

Reduced cost for staff to research new security vulnerabilities on an ongoing basis due to the centrally •managed and automatically updated library of security checks and vulnerabilities

Risk mitigation Reduced number and duration of application security-induced outages lead to:•

Less end-user production time lost −

Reduced efforts associated with problem identification and resolution −

Revenue protection −

Reduction in SLA non-compliance penalties −

Time to value Reduced cost of replacing knowledge of key individuals by way of capture and reuse testing artifacts•

Improved return by getting revenue producing applications to market faster•

Table 1: Categories for benefits

Application security requirementsAs a growing number of companies suffer through an application security incident and the attendant costly clean up and inevitable customer loss, organizations understand that a comprehensive Web application security solution has become a business requirement .

No organization wants to see their company in the news because an attacker infiltrated an application and stole sensitive private customer information or gained access to their corporate network and back-end applications . CIOs, application owners, and IT executives are faced with the challenge of applying a structured process toward secure software development to meet compliance requirements, prevent security breaches, and save time and money that would otherwise be spent reworking security defects . They are asking questions such as:

Why are we not better protected when we have •invested so much in security?

Why is it that our security professionals cannot •secure our applications by themselves?

Why are we spending so much on security •vulnerability remediation?

If developers are required to remediate security •software defects, how do we detect these security defects earlier in the application software development lifecycle?

How can we be sure to remain compliant with •government and industry regulations?

What can we do to reduce the costs associated with •Web application development and maintenance?

Do we need to hire expensive security experts •to achieve a comprehensive Web application security program?

Can we get fast and accurate Web application •security testing for complicated sites leveraging the latest technologies such as JavaScript™, FLASH, REST, SOAP, or AJAX?

These questions lead to a broader set of requirements . Table 2 summaries the major categories of requirements of today’s IT executives .

A complete system for application securityIn the past, many IT organizations addressed security with firewalls, intrusion detection, and intrusion prevention technologies, but these measures alone are not enough . By their very nature, Web applications are an open door to malicious hackers . One of the scariest things about Web application hacks is that most of the time, the hackers look like standard traffic . It is difficult to detect them . They are able to leverage the open door that enables Web traffic, and gain access to an organization’s systems and information . Furthermore, Web application technologies have matured resulting in more complex and dynamic technologies . As a result, traditional scanners fail to discover exploitable security vulnerabilities that can pose risks to an organization .

5

Functions Requirements of today’s IT executives

Development (DevInspect)

Developers must build secure Web applications and Web services quickly and easily, and it cannot be •expected that the developers have security expertise .

Developers need to find, fix, and protect against application security defects during development to •reduce the costs associated with application changes .

Testing (QAInspect)

QA teams must find and prioritize Web application security vulnerabilities and present detailed •information, including remediation advice for the vulnerabilities .

QA professionals needs to analyze pages, use scenarios and entire Web applications and Web services •to find all application security defects and assign them to development for remediation .

Production (WebInspect)

Security professionals need to scan and assess entire Web applications and Web services before and •after they are in production to find all application and platform security vulnerabilities, and meet legal and regulatory compliance .

End-to-end application security (Assessment Management Platform (AMP))

Developers, QA teams, and security professionals need to conduct automated Web application security •testing and assessments, find information about Web security vulnerabilities and mange the overall Web application security program with consolidated real-time information and high-level summary views of the enterprise’s current risk posture and regulatory compliance .

Table 2: Application security requirements

HP has taken a leadership position in the application security market . HP Application Security Center is an effective end-to-end application security solution that provides organizations the means to manage the process of finding and fixing security vulnerabilities throughout the application lifecycle, from requirements definition, development and testing, through production . Sophisticated assessment technology to perform Web application and Web service security testing and assessment is embedded in all of the HP Application Security Center software products for thorough analysis of today’s complex Web applications built on emerging technologies . The HP application security software products deliver fast scanning capabilities, broad assessment coverage, and accurate Web application scanning results .

HP software is designed with flexibility in mind . Some development and QA organizations want to deploy software that is integrated into the development and testing environments . Others want a centralized solution for authorized team members to conduct security tests as needed . Many organizations implement a combined approach in which security professionals manage the overall security program, working with developers, QA teams, and security experts . They need flexible solutions to define and manage Web application security processes .

HP DevInspect software, HP QAInspect software, and HP WebInspect software are designed for developers, QA professionals, and security professionals respectively . HP Assessment Management Platform software brings these products together and can be leveraged by each audience for different purposes . The components of HP Application Security Center were defined according to the business needs identified in Table 2 . When used together, these products provide an effective end-to-end application security testing solution . Table 3 shows the functional components included in HP Application Security Center as well as the business and IT value offered by each of these components .

Application security summaryHP Application Security Center helps developers, QA teams, and security professionals to assess and remedy application security risk and vulnerabilities quickly . HP Application Security Center provides common security policy definitions, automated security tests, centralized permissions control, and Web-based access to security information . By using the HP Application Security Center products companies can instill and enforce secure development throughout the entire application lifecycle .

6

Components Capabilities

DevInspect HP DevInspect simplifies security at the earliest stages, during development, by finding and fixing application vulnerabilities automatically . It combines source code analysis with black-box testing in a single, cooperative process, helping to reduce false positives and find more application security defects .

QAInspect HP QAInspect enables QA teams to manage and conduct functional testing and Website security testing from a single platform—without the need for specialized security knowledge . It features deep and intuitive integration into the most popular testing platforms, helping to test Web applications for security without leaving the QA environment .

WebInspect HP WebInspect delivers fast scanning capabilities, broad security assessment coverage, and accurate Web application security scanning results . The software identifies security vulnerabilities that are undetectable by traditional scanners .

Assessment Management Platform

HP Assessment Management Platform addresses the complexities of Web application security testing and scanning programs . It lets all constituents get information about application security vulnerabilities and participate in the assessment and remediation process without losing centralized control .

Table 3: Value offered by each of the functional components of HP Application Security Center

Align

Business case package

Benefits andinvestments

Customerdata

ROIResult

Business Applications Initiatives Infrastructure

Challenges/pain (in form of anecdotes)

Value propositions

Discover

Model

Deliver

HP Application Security Center allows companies to:

Lower risks by detecting security defects early in the •application software development lifecycle

Reduce time and budget for a security risk •assessment through consolidated, automated testing

Facilitate a coordinated application security •testing program across different departments in different locations

Provide visibility into the enterprise-wide application •security status through pre-configured reports

Help management measure the effectiveness of the •corporate security risk assessment program

Meet legal and regulatory compliance requirements•

Support sites build on emerging technologies, •including those using JavaScript, FLASH, Web services, SOAP, or AJAX

HP Application Security Center offers an effective end-to-end application security solution to enable organizations to stay protected from costly security breaches, remain compliant with government and industry regulations, and even reduce the long-term costs associated with application maintenance . Further information about HP Application Security Center including white paper, solution briefs, and other collateral can be found at www.hp.com/go/securitysoftware

The remainder of this paper provides an overview of the HP ROI model followed by examples of customer ROI-benefit scenarios that show the impact on business and IT for the functional areas of the application security solution from HP .

HP Software’s ROI approachHP Software’s ROI approach is based on third-party–created and validated models and industry/customer research by leading IT consultancy, IDC, and their ROI tool partner and leading ROI/TCO consultancy, Alinean . The ROI Analysis process, models, and metrics were developed over the past four years by researching overall IT spending and KPIs worldwide in over 35 different industries, interviewing selected customers to determine specific realized and proven value, and in directly engaging with customers with the methodology and tools to refine the modeling and value estimates further . This work resulted in the definition of a customer-centric ROI framework and process as illustrated in Figure 1 and described as follows .

Discover:• A credible Business Case/ROI must be anchored in a customer’s “business reality .” This schematic suggests four categories of discovery to hone in on . It is during this initial discovery stage that it is helpful to document challenges and specific problems . These challenges can be collected as Business Value/ROI Anecdotes .2

Align:• The key to a successful ROI is converting this somewhat abstract understanding of a customer’s business context and business value anecdotes into a set of quantifiable value propositions . A value proposition is a specific customer-centric statement of expected business or IT value, ideally, quantifiable in monetary terms .

2 A Business Value Anecdote is a brief statement of a “pain” or the observed or expected benefit of an HP solution from the customer’s perspective.

7

Figure1: The HP ROI model approach

Model:• Two types of models are crafted . The Benefits Model consists on a set of Benefit Worksheets . Each ROI-benefit scenario is a quantified value proposition—representing the most granular unit of annualized business or IT value . HP has compiled a collection of Benefit Worksheets from our work to date that customers may find helpful in launching their ROI projects . The Investment Model projects requirements for a given solution into the future and use these projections as the basis for quantifying costs—providing both HP Software-related costs as well as any incremental staffing or infrastructure costs associated with the HP solution .

Deliver:• The Benefit and Investment Models are packaged into an ROI Business Case Package .

A clear understanding of the business perspective helps ensure that a meaningful set of value propositions are characterized . Value propositions fall into two distinct categories: business value and IT value .

Business value propositions describe how the use of Business Technology Optimization (BTO) contributes to reduced business costs (for example, improved end-user productivity or reduced time to complete security audits) or revenue protection (for example, higher availability of customer-facing or revenue-generating applications) . Similarly, an IT value proposition demonstrates how BTO contributes to IT cost reduction . Often this is expressed in terms of headcount containment, reduction in application rework costs, or deferral of infrastructure capital expenses .

A properly stated value proposition should clearly connect a BTO function with a business objective and a measurable benefit . For example, “Automated application security testing mitigates risks by proactively reducing the number and duration of application security induced outages leading to reduced end-user minutes lost .” Value propositions stated in this way can be transformed into “ROI-benefit scenarios,” the HP term for the most granular building blocks of IT or business value .

ROI-benefit scenarios provide a consistent way to quantify value propositions and BTO value . Taken together, a set of ROI-benefit scenarios can be aggregated to represent the value of existing or planned BTO investments . ROI-benefit scenarios provide a consistent way to characterize value and quantify solution benefits incrementally . They can also be combined to look at higher-level ROI-benefit scenarios such as quality improvement of application security, or improved visibility for decision-making . The ROI result can be calculated by summing the value and the investment associated with all of the relevant ROI-benefit scenarios . By breaking the problem down into smaller, more manageable ROI-benefit scenarios, the HP ROI approach simplifies ROI measurement and removes some of the uncertainty associated with collecting and analyzing ROI data .

8

Key component Description

Value proposition A specific statement of business or IT value that links a specific BTO function with a business objective and a measurable benefit .

Solution benefit summary A description of the HP BTO solution that explains how the value proposition claim is achieved .

Applications Which specific application environment is included in the scope of the business case?

Calculation The specific metrics, assumptions, and data values used to quantify the value proposition .

Table 4: Key components of an ROI-benefit scenario

After discovering and assessing the current environment, the next step is to align the HP solution in a way that it can have an impact on both IT and business processes in order to reduce costs, mitigate risks, or improve time to market . Quantifiable benefits can be estimated using ROI-benefit scenarios that transform high-level value propositions into customer-specific situations where benefits can be measured . The following examples from a real customer engagement show how to approach the process of building ROI-benefit scenarios . These examples also demonstrate the value of HP solutions, showing the potential for ROI within any organization that has similar business needs .

Customer data and resultsA major insurance company was looking to adopt automated security testing as part of QA for their critical insurance quoting and claims processing application . Over the three-year analysis period as a result of their adoption of HP Application Security Center solution, they would be able to achieve cost benefits of between $1 .3 million and $1 .9 million . Fully automated Web application security testing would result in significant process efficiency improvements and IT cost reductions .

By deploying the HP Application Security Center solution, the insurance company addressed their four most severe pain points:

Application security incidents adversely impact •end-user productivity

Manually identifying application security defects •during the full software lifecycle is labor intensive and error prone

Internal and external application security auditing •costs associated with SOX, HIPAA, PCI, and other regulatory compliance are high

Loss of key security testing resources leads to higher •testing costs

Examples A through D below lay out the detailed ROI calculations for the process efficiency gains, risk mitigation and reduced operational expenses . For each ROI-benefit scenario, the calculations are provided for the conservative, the probable, and the optimistic expected improvements with the HP Application Security Center solution .

Example A: End-user productivityThe insurance company had issues with too much downtime for their primary insurance application . Downtime not only created a productivity drain for the insurance agents, but also prevented them from responding quickly to customer requests for quotations .

9

ROI through reduced end-user minutes lost

Value proposition Automated application security testing mitigates risks by proactively reducing the number and duration of application security induced outages leading to reduced end-user minutes lost .

Solution benefit summary HP Application Security Center software solutions help you save time and money by enabling security professionals, developers and QA teams to catch security defects as early in the application development lifecycle as possible . In the case of end-user productivity, fewer application defects leads to fewer application outages and hence a reduction in the number of end-user minutes lost .

Applications Critical insurance application

ROI example Metrics Assumptions Expected improvement metrics assumptions with HP Software Solution

Conservative Probable Optimistic

Number of insurance agents 30,000

Percentage of agents impacted by security induced outages

15 .00%

Percentage of security induced outages that impact agents

80 .00%

Current annual downtime hours experienced by users 14,400

Current annual downtime cost $443,520

Projected reduction in number of annual outages impacting agents

40 .00% 50 .00% 60 .00%

Projected reduction in downtime 16 .00% 20 .00% 24 .00%

Corresponding annual reduction in downtime cost (first year)

$210,672 $266,112 $317,117

Table 5: ROI example for end-user productivity

The speed of getting these customer quotations was critical to revenue protection because it affected the efficiency of the agents and because the potential existed for missed opportunities if agents were forced to rely solely on competing quotations due to customer time constraints . The estimated annual impact on business revenues was $443,520 as shown in Table 5 . The estimate was calculated by multiplying the current annual downtime hours experienced by users with their $30 .80 hourly burdened labor rate .

In assessing their purchase of HP Application Security solution, the insurance company estimated the impact the solution could have on number of outages and application downtime . The company expected a 50 percent reduction in outages and 20 percent improvement in application availability, and it was felt that a 40 percent reduction in outages and 16 percent reduction in downtime would be a good conservative estimate . The company believed that as much as a

60 percent reduction in annual outages was possible, and thus 60 percent was included as the optimistic estimate with reduction in downtime of 24 percent .

Table 5 shows that the insurance company was expecting less and shorter outages after deployment of HP Application Security Center solution, and an ROI-benefit from reduction in end-user minutes lost . These annual downtime cost reduction estimates were calculated by multiplying the current annual downtime cost ($443,529) by the corresponding percentage reductions in downtime and number of annual outages . The projected, conservative, minimum estimate for first year was a process efficiency gain of $210,672 . With an estimated increase in annual benefit of three percent over a three-year period, this added up to a $651,166 reduction in downtime cost with a potential for saving as much as $980,178 with the optimistic percentage outlook .

10

Example B: Application security testing for the full software lifecycleQuality assurance work on the insurance company’s critical insurance quoting and claims processing application was manual and very time consuming . The annual cost for quality assurance was $292,744 for business analysts, business developers, QA, testing, operations management, and support .

With automated security testing as part of QA, the insurance company could reduce costs by discovering code security vulnerabilities early in the software development lifecycle and by saving time on their QA tasks .

Table 6 shows how the insurance company was expecting to reduce cost for QA after deployment of HP Application Security Center solution . These savings were calculated by multiplying the current QA activity tasks’ cost by the corresponding conservative, probable and optimistic percentage reductions . The projected, conservative, minimum estimate for first year was a cost saving of $137,478 . With an estimated increase in annual benefit of three percent over a three-year period, the insurance company could expect up to a $424,930 reduction in QA cost with a potential for saving as much as $637,400 with the optimistic percentage outlook .

11

ROI through application security testing for the full software lifecycle

Value proposition Automated application security testing throughout the software lifecycle reduces costs by reducing the time and effort associated with security code reviews, test script creation, test execution, test reporting, and script maintenance .

Solution benefit summary Application Security Center delivers a comprehensive suite of products and services that support the entire Web application lifecycle . These products identify vulnerabilities early in the software lifecycle and help customers save time and money and enable security throughout the life of the application . These products are designed to foster collaboration among developers, quality assurance and security professionals . Trustworthy software becomes possible only when security becomes a standard requirement in the entire development process .

Applications Critical insurance application

ROI example Metrics Before HP ASC Expected improvement with HP Software Solution

Conservative Probable Optimistic

Test script creation cost $70,894 48 .00% 60 .00% 72 .00%

Test execution cost $22,511 40 .00% 50 .00% 60 .00%

Investigating security resolutions cost $100,604 60 .00% 75 .00% 90 .00%

Results and defect reporting cost $50,352 60 .00% 75 .00% 90 .00%

Test script maintenance cost $48,38 8 .00% 10 .00% 12 .00%

Total annual IT cost $292,744

Projected test script creation cost $36,865 $28,358 $19,850

Projected test execution cost $13,507 $11,256 $9,004

Projected investigating security resolutions cost $40,242 $25,151 $10,060

Projected Results and defect reporting cost $20,141 $12,588 $5,035

Projected test script maintenance cost $44,512 $43,545 $42,577

Projected total annual IT cost $155,266 $120,897 $86,527

Total projected first year savings $137,478 $171,847 $206,217

Table 6: ROI example for automated security testing

Example C: Internal and external security auditsInternal and external application security auditing costs associated with regulatory compliance were high . The insurance company had internal staff devoted to security audit compliance but also used external auditors; however, numerous application security defects, expensive to fix, were found during the audits . With automated Web application security testing from HP, the internal and external auditors would spend less time on security audit compliance work, and there would be fewer application security deficiencies to correct .

A 45 percent reduction in number of deficiencies and of internal and external staff time spent on security audit compliance was expected, and a 36 percent reduction was chosen as a conservative estimate . The

insurance company decided that as much as a 54 percent reduction should be used as the optimistic estimate for the ROI-benefit scenario calculation .

The total annual audit and compliance cost before a solution from HP was $141,760 . HP Application Security Center’s scalable security assessment platform would allow the total audit staff hours to be reduced, generating a first year annual saving of between $51,034 and $76,550 .

The calculations were made by applying the conservative, probable, and optimistic percentage efficiency gains to the costs of correcting audit deficiencies and internal and external audit compliance . Over the three-year analysis period—conservatively projected—the internal and external security audits cost could be reduced by $153,101 .

ROI through reduced cost associated with internal and external application security auditing

Value proposition Proactive, automatically scheduled security checks, policy enforcement, and reporting reduces auditing costs including the costs associated with audit deficiencies by reducing the number of deficiencies and the time taken to complete an audit .

Solution benefit summary HP Application Security Center provides a distributed scalable security assessment platform enabling organizations to perform unlimited, automated application security assessments providing a real-time view of an enterprise’s current risk posture and policy compliance . The reporting system allows customization of reports through configuration options and template-driven reports . Standard reports include security auditor, quality assurance (QA), and developer-focused reports as well as numerous sorting and filtering options .

Applications Critical insurance application

ROI example Metrics Before HP ASC Expected improvement with HP Software Solution

Conservative Probable Optimistic

Internal audit costs $95,760

External audit fees $6,000

Audit deficiencies cost $40,000

Total audit and compliance cost $141,760

Projected percentage efficiency gains 36 .00% 45 .00% 54 .00%

Projected internal audit compliance cost $61,286 $52,668 $44,050

Projected external audit compliance cost $3,840 $3,300 $2,760

Projected audit deficiencies cost $25,600 $22,000 $18,400

Projected total annual audit and compliance cost $90,726 $77,968 $65,210

Total projected first year benefit $51,034 $63,792 $76,550

Table 7: ROI example for application security audit compliance

12

Example D: Intellectual capital retentionThe QA/test team for the insurance company’s quoting and claims-processing application had been short staffed for several years, which had caused an extremely stressful work environment . Staff turnover had been on the rise and was becoming a serious problem . For each tester leaving, the schedule got tighter because training time for replacement hires had to be pressed into the team’s already tight time plan . Before HP Application Security Center solution was deployed, QA/test staff turnover was 30 percent, and annual re-training time and cost were unacceptable high . With three months to train replacement hires to reach basic proficiency, the staff turnover resulted in an annual re-training cost of $50,400 .

By implementing HP Application Security Center, the insurance company got a central repository of security testing knowledge that significantly reduced

the learning curve for the replacement hires . So not only was retraining cost reduced, but the QA/test team also got back on schedule without having to work after hours and weekends to meet their time plan commitments .

For the ROI-benefit scenario calculation, a 40 percent reduction in required retraining/relearning time was expected . On the conservative side, a 32 percent time saving was chosen, and 48 percent was used for the optimistic estimate . Table 8 shows how after deployment of HP Application Security Center solution the insurance company was expecting first-year savings between $16,128 and $24,192 . With an estimated increase in annual benefit of three percent, over a three-year period this added up to a $49,850 reduction in retraining/relearning cost with a potential for saving as much as $74,774 with the optimistic percentage outlook .

ROI through intellectual capital retention

Value proposition Automated security test management mitigates risk through the capture and reuse of testing artifacts thereby reducing the cost of replacing knowledge of key individuals should they leave or be reassigned .

Solution benefit summary Most test/QA organizations rely on a group subject matter experts, analysts and testers, with knowledge across applications and technology . When these individuals leave the company or are reassigned, they take their knowledge with them . It takes time to bring new individuals up to speed . The ASC product set provides a central repository of security testing knowledge—significantly reducing dependency on individuals by reducing the learning curve and ramp up time for new individuals . Moreover, a central repository of knowledge provides flexibility in reassigning individuals to support other areas .

Applications Critical insurance application

ROI example Metrics Assumptions Expected improvement with HP Software Solution

Conservative Probable Optimistic

Total members of QA/test staff 7 .0

Estimated annual attrition for QA/test staff 30 .00%

Months to train replacement hire to reach basic proficiency

3 .0

Total person hours to train/attain proficiency 500 .0

Average test/QA burdened salary rate per hour 48 .00

Current total lost retraining/relearning costs $50,400

Projected reduction in number of retraining/relearning hours

32 .00% 40 .00% 48 .00%

Projected total person hours lost to retrain/relearning 714 .0 630 .0 546 .0

Projected total lost retraining/relearning cost $34,272 $30,240 $26,208

Corresponding annual reduction in retraining/relearning cost (first year)

$16,128 $20,160 $24,192

Table 8: ROI example for intellectual capital retention

13

Consolidated ROI benefits from the HP Application Security Center solution

ROI scenarios and value propositions

End-user productivity: Automated application security testing mitigates risks by proactively reducing the number and duration of application security-induced outages leading to reduced end-user minutes lost .

Application testing for the full software lifecycle: Automated application security testing throughout the software lifecycle reduces costs by reducing the time and effort associated with security code reviews, test script creation, test execution, test reporting and script maintenance .

Internal and external security audits: Proactive, automatically scheduled security checks, policy enforcement and reporting reduces auditing costs, including the costs associated with audit deficiencies, by reducing the number of deficiencies and the time taken to complete an audit .

Intellectual capital retention: Automated security test management mitigates risk through the capture and reuse of testing artifacts, thereby reducing the cost of replacing knowledge of key individuals should they leave or be reassigned .

Applications Critical insurance application

Analysis of benefits and NPV for conservative outcomes

Metrics ROI savings 1st year

ROI savings 3 years

NPV of 3 years savings

Cumulative savings of ROI scenarios

Reduction in downtime cost $210,672 $651,166 $520,169

Cost benefits with full SW lifecycle testing $137,478 $424,930 $339,446

Cost benefits with internal and external security audits $51,034 $153,101 $122,574

Reduction in retraining cost $16,128 $49,850 $39,822

Total Savings $1,279,047 $1,022,010

Consolidating resultsROI-benefit scenarios such as those shown in the above examples can be combined to provide an overall ROI analysis for a specific customer implementation of HP Application Security Center . The total savings from multiple ROI-benefit scenarios are summed and compared against the total cost of ownership of the HP solution . For example, the savings from several ROI-benefit scenarios can be summed to show a combined business and IT benefits over a period of three or five years and compared against the total cost of ownership (TCO) for HP Application Security Center over the same period .

The insurance company focused their financial analysis on summing the four ROI-benefit scenarios and Net Present Value (NPV) calculations . They chose to exclude their total cost of ownership in the analysis . The NPV was calculated over a three-year period using a discount rate of 12 percent, and finally summed to demonstrate the conservative $1 .02 million NPV savings for the three-year period .

Table 9: Consolidating results from ROI-benefit scenarios

14

SummaryCompanies that are vigilant and proactive in their approach to application security are better protected . In the long run, these companies enjoy a higher return on investment for their e-business ventures . The benefits of HP offerings can be quantified using the HP ROI approach, which has been validated by HP customers across multiple industry segments . The examples presented in this paper are based on first-hand experience with an HP customer . The examples show substantial cost savings and efficiency gains, offering a strong incentive for the insurance company to choose the HP offering when they compared their current QA/test processes and environment against the HP Application Security Center solution .

The sample ROI-benefit scenarios shown in this paper are illustrative of The HP ROI process and approach . For more information on this approach and how it can be used to help justify an investment in HP Application Security Center solutions, please contact your HP sales representative .

15

Technology for better business outcomes

To learn more, visit www .hp .com/go/securitysoftware© Copyright 2009 Hewlett-Packard Development Company, L .P . The information contained herein is subject to change without notice . The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services . Nothing herein should be construed as constituting an additional warranty . HP shall not be liable for technical or editorial errors or omissions contained herein .

Java is a US trademark of Sun Microsystems, Inc .

4AA2-6616ENW, June 2009

This is an HP Indigo print.