Good time for a new offering: When Wipro met Fortify
Wipro (one of the world’s largest outsourcers) and Fortify (a major software security vendor) are announcing today their plans to offer a new joint outsourcing solution. This solution combines Fortify’s software security tools with Wipro’s outsourcing and security personnel to create an application software security center of excellence called the Software Assurance Center.
The timing of this offering may be serendipitous for the two firms. The current economy is making outsourcing, particularly certain managed services, more attractive to IT executives. In the security space, there are numerous kinds of threats that can be quite injurious to IT shops no matter if the affected application software was custom made, licensed or hosted.
In the words of Mike Armistead, co-founder of Fortify, the "attack surface for application software” is huge. Almost every single piece of application software utilized by corporations today is open to and interacts with the Internet. This openness and the abundance of applications that users, supply chain partners, customers, regulators and others use to interact with your front and back office solutions makes the problem of application security all the more daunting. (More code = greater security risk)
Furthermore, we cannot underscore enough the rising sophistication of those who wish to hack, infect, keylog, disrupt or otherwise pilfer your information systems. Organized crime gangs, foreign governments, competitors and the usual assortment of malcontents exist in ever greater numbers with each looking for just one soft vulnerable spot in your IT infrastructure. (More threats = greater security risk)
But there is one additional rationale for such an offering in the market. Top-flight security professionals are some of the most sought after and scarce people to be hired. Many of the best and brightest are snapped up by some largest global firms, governments or specialized technology firms. Mid-market businesses cannot source or afford the quality and quantity of software security experts they need. A managed service seems to be the most cost effective and knowledge intensive option for the mid-market. (Scarce security professionals = more vulnerability)
In fact, if a mid-market business can only afford or find one or two key security professionals, these individuals may not possess all of the skills or knowledge needed to protect all of the potential vulnerabilities. Software security, like a chain, is only as good as its weakest link. Critical gaps or omissions in application security could be almost as bad as no security at all. (Spotty coverage = doubtful protection)
These two firms are creating a service where midmarket firms can submit their applications software to the joint-venture for a one-time or continuous security assessment. Software can be submitted while it is under development or in production. Custom and packaged applications will be run against static (e.g., tests that scan code for specific faults) and dynamic (e.g., penetration tests utilizing ethical hacking scripts) tests. Additionally, products can be monitored via Fortify’s RTA (real-time analysis) product. Applications can be tested on demand or as a managed service. Use of the Fortify 360 technology will help harden applications against future security threats. Mobile applications will be identified at the line of code level so that rapid remediation efforts can be applied.
Bottom line: solutions like these should see a good uptake. Unfortunately, too many businesses like homeowners skimp on insurance especially when they are pinching pennies. Nonetheless, mid-market firms owe it to themselves and their shareholders to periodically assess the level of protection their applications possess.