According to market researcher DataMonitor the size of the global software market is forecast to have a value of $299.1 billion in 2014, an increase of 32.6% since 2009. According to them, the computer software market consists of systems and application software. Systems software comprises operating systems, network and database management and other systems software. Application software comprises general business productivity and home use applications, cross-industry and vertical market applications, and other application software. Let’s just take a moment to let the enormity of that number sink in - $299B dollars is a big market! Now, let’s examine another market. According to the 451 group, the market size for automated application security technologies (as defined by static analysis, dynamic analysis and Web Application Firewalls) is forecast to be just a little over $1B dollars in 2014 . Is someone else feeling that these two market forecasts taken together just don’t add up? We spend 0.3% of what we pay for software on ensuring that it is secure! Now you can argue that the application security market as defined above is a narrow representation. For example, manual testing is not included. However, even when you account for those variances the gap in what we spend to buy software and what we spend to secure it is huge. This brings me to the market for testing third-party software suppliers that was explored in Volume 4 of the State of Software Security report. As the reliance on third-party software and components has grown, so has the awareness that security weaknesses embedded in those applications become a liability for the enterprise. This recognition transcends the security community as you see calls for this level of due diligence from leaders in the sourcing and vendor management area as well (See Forrester report, “Why Stronger Vendor Management is Essential to Managed Services Relationships” by analyst Jan Erik Aase. ). We examined which industry segments are heeding this call to action and engaging in this process with their third-party software suppliers. We found enterprises representing at least eight different industry segments. While Software and Finance account for the majority of the dataset, companies across the spectrum are starting to hold their software suppliers accountable. According to our customers approximately one-third of applications in their environment are characterized as third-party and two-thirds as internally developed. What we see is that 30 to 70% of code components even in so called internally developed applications are in fact third-party components and libraries. With such heavy reliance on code coming from outside an organization, a formal third-party risk assessment program becomes crucial to managing overall application risk. We recommend that all enterprises institute a policy that requires third-party vendors to demonstrate proof of independent security verification or to submit to that due diligence. We also recommend that sourcing and vendor management professionals include specific language in contracts to that end. If we are going to spend hundreds of billions of dollars on software lets at least spend a few billion more than we do right now on ensuring that it is secure!
A Tale of Two Market Sizes
Sam King is the Chief Executive Officer of Veracode and a recognized expert in cybersecurity, the emerging practice of DevSecOps and business management. As a founding member of the Veracode team, Sam helped lead the establishment and growth of the application security category working with industry experts and analysts. In her current role, Sam is focused on company growth and helping customers achieve their missions through the creation of secure software. Prior to Veracode, Sam held leadership positions in cybersecurity and technology companies including Verisign and Razorfish.