Software Risk and Security in 2016

Software has always been risky business compared to more mature industries such as telecommunications and manufacturing. Historically, software has seen more canceled projects, higher costs and more frequent schedule overruns than any other industry.

Today in 2016 we are also on the forefront of receiving an increasing amount of cyber-attacks in many different forms such as denial of service, data theft, phishing and the like. Of course, other industries are also risk prone, such as banking and finance as seen by their many failures circa 2008. Indeed the insurance industry centers around risk and has developed sophisticated actuarial methods for predicting the costs of risks and when they will occur.

What software needs today is a better understanding of security techniques and security economics, in terms of preventing and recovering from cyber-attacks. In other words, we should mirror insurance in the use of solid actuarial analysis of software and security risks.

Namcook’s Software Risk Master (SRM) tool is starting that shift by predicting the main forms of software risks before software projects start, when there is still time to create effective risk avoidance strategies. The top risks we predict are:

Project Risk Metrics predicted by SRM

These risk predictions are variables, and the key factors that influence them include team experience, development methodologies, programming languages, effective quality control techniques before and during testing, and achieving high levels on the SEI capability maturity model integrated. For example, both formal inspections and static analysis have proven to be effective risk-reduction techniques.

Concentrating primarily on security risks, we are also concerned with security costs in two forms:

  • Preventing cyber-attacks by using more sophisticated quality control during development.
  • Recovering from successful cyber-attacks.

To provide a context of risk and security costs, the below table shows the top cost drivers today:

U.S. Software Cost Drivers in Rank Order for 2016

As can be seen, software security risks consume a significant portion of key software cost drivers. To be successful and reduce IT spend, it will be important to push them down to the bottom of the ranked list of cost drivers by 2026. There are existing technologies for doing this, such as deploying security inspections and using static analysis on all critical software projects. CAST’s Application Intelligence Platform measures technical vulnerabilities that put your organization at risk based on industry leading code quality standards from CISQ. Plus there are ways to participate with cyber-attack groups established by the FBI, Homeland Security, and some state and local police departments. However many companies and government groups are still careless in both software quality control and software security.

Improved knowledge of software risk and security flaws is on the critical path for making significant reductions in high-cost problems.

There are two obvious paths facing the software industry in 2016. The best path would be to achieve major software risk reductions and major reductions in cyber-attacks by means of deploying more sophisticated quality and risk control techniques during development, including analyzing the quality of application portfolios.

The more dangerous path will lead to increasing numbers of successful cyber-attacks and steadily increasing expenses associated with related software risks. This will also lead to severe erosion in customer satisfaction, especially in regards to banking applications, where thefts of funds and identities are a daily hazard. This second path assumes continued laxness in quality control and security control.

Both poor software quality and software security flaws are treatable conditions somewhat like medical conditions that can be eliminated by a combination of vaccinations and effective therapies. It is theoretically possible to reduce delivered software defects and deployed software security flaws by over 90% compared to 2016 norms. Even better, some of the effective therapies such as static analysis are also very cost effective and lower both development and maintenance costs as well as lowering cyber-attack costs.

To learn more, check out www.Namcook.com or contact Capers at Capers.Jones3@gmail.com.

Get Your Free White Paper And Learn How Software Analysis Can Help Your Business

Learn why you need to build security into your applications and how it will help improve and protect your business. Click the button below to get our FREE copy today.

Your Information will be kept private and secure.

Comments

comments