Continuous Delivery of Business Value with FortifyMainstay Customer Evidence Research
WHITE PAPER
Continuous Delivery of Business Value with Fortify WHITE PAPER
22
MEETING THE SECURITY DEMANDS OF DIGITAL TRANSFORMATION
Today every business is becoming a software business. Even traditional brick-and-mortar industries are facing the necessity of software-driven “digital transformation” to stay relevant and competitive in their markets. Industrial icon GE, for instance, is developing software that harnesses data from sensors inside wind turbines to squeeze more electricity from existing wind farms. Automakers embed tens of millions of lines of code into their increasingly “smart” and “connected” vehicles.1
As software becomes core to every business — and as cloud-based software services surge in popularity — companies are developing and updating applications faster than ever before. Welcome to the new era of continuous software delivery. Continuous delivery means development teams are releasing software with new features and functionalities in increasingly shorter cycles, from every year or quarter to every month, week, or day.
The approach is now woven into the DevOps environments of leading enterprises like Microsoft, Google and Facebook, which typically issue major software releases every week across their web sites, followed by daily bug fixes over the rest of the week. Forrester Research predicts that organizations will go from four application releases per year in 2010 to as many as 120 releases per year by 2020, a 30x increase.2
SECURITY TEAMS UNDER PRESSURE
With the market moving to an agile, continuous delivery model, development and security teams within organizations are scrambling to keep up with the sheer number of applications and releases, which is putting pressure on a key part of the development lifecycle: software security assurance (SSA). Simply put, organizations cannot afford for security testing and remediation to slow the pace of software delivery.
This challenge is complicated by several trends:
• The proliferation of SaaS and mobile devices, which requires even more testing of applications for security flaws.
• Many enterprises maintain hybrid environments with a mix of legacy and COTS applica-tions and varying release cycles, thus increasing the complexity of security programs.
• Developers increasingly utilize downloaded code from open-source software (OSS) repositories such as Maven and GitHub, many of which are known to contain vulnerabilities.
Organizations generally have been slow to respond to the challenge, in part because most of them are still using outmoded security testing tools and practices. These tools lack automated features that could enable organizations to tackle greater volumes of code and scans in less time. Often these tools cover only part of the security-testing process, a handful of specific languages, or limited deployment options, forcing organizations to switch between multiple tools during the development cycle, hurting productivity.3
A NEW ERA IN SOFTWARE SECURITY Continuous delivery of applications has become the new normal for soft- ware development organizations across every industry. Software development teams are now expected to deliver new releases and updates at a dizzying pace, putting tremendous pressure on software security teams to keep up. In this report, we detail how development organizations at leading companies are using software security solutions from Fortify to scan more applications faster, focus and streamline reme-diation efforts with better triaging, and integrate security assurance methods throughout the software development environment. No longer a production bottleneck, security teams can now support increasingly ambitious release schedules, ensuring faster time to market and freeing developers to focus on creating better software.
Continuous Delivery of Business Value with Fortify WHITE PAPER
3
In fact, industry analysts estimate that even though 90% of companies are engaged in application development — and 99% agree it’s an opportunity to increase enterprise security — only 20% are doing anything about it. Gartner estimates that fewer than 20% of enterprise security architects have systematically incorporated information security into their DevOps initiatives. Fewer still have achieved the singular degree of security automation required to qualify as Secure DevOps.
SHIFTING TO THE ‘LEFT’
Until recently, organizations have focused security testing and remediation efforts primarily on the later phases of the software development lifecycle. However, this is precisely when the cost of remediation is most expensive and time consuming. In addition, as tight product-launch deadlines shrink remediation windows, the probability increases that applications will be released into production with known or unknown vulnerabilities. Poor scalability of current toolsets also dictate relatively fewer scans, cutting into productivity as the number of applications and releases continues to grow.
All of this represents a reactive approach to security assurance that increases the risk of project delays, compro-mises application security, and ultimately prevents organizations from scaling to meet the demands of continuous delivery. By contrast, leading organizations we researched are taking a more agile and proactive approach — one that emphasizes earlier, more frequent testing with feedback loops designed to produce progressively cleaner code.
In effect, these organizations are shifting security testing operations to the “left,” thus reducing the number of vulnerabilities introduced during the coding phase, as shown below. According to a recent study, organizations that make this move end up spending 55% less time remediating security issues.5
THE EVOLUTION OF SOFTWARE SECURITY ASSURANCE
Mainstay conducted initial research on the economic impact of Fortify’s appli- cation security solutions in 2010, a time when the biggest challenges facing IT and application security teams was simply finding software vulnerabilities, and finding them earlier enough to make remedi- ation easier.4 In 2013, Mainstay re-surveyed leading organizations and concluded they were still largely focused on finding and fixing as many vulnerabilities as possible, and many were choosing cloud services to extend these capabilities to third-party developers.
Our latest survey found an evolving market for soft- ware security solutions, with organizations demanding greater speed and scalability to meet more ambitious release cadences. Beyond just finding every potential vulnerability, organiza-tions now want better triaging to quickly focus on and remediate flaws that pose the most serious risk to the business.
Laggards Test Later and Less Frequently
Leaders Deploy Software Security Throughout the Software Development Cycle
• Reactive• Likelihood of discovering more
vulnerabilities than available capacity to triage or remediate
• Difficulty in remediating• High risk of application delays• Incompatible with frequent development releases
Requirements Design
Code Reviews
Security Testing Penetration Testing Vulnerability Scanning
Coding Integration ProductionQA
Code Reviews
Security Testing Penetration Testing Vulnerability
Scanning
Scope of Software Security Scans
Need to “Shift Left”
• Proactive• Vulnerabilities are discovered early• Easier to remediate
• The number of iterations that occur across the SDLC improves time to production
• The time required to fix an issue is less as you shift left, driving shorter time to production
Requirements Design
Code Reviews
Static Code Analysis
DynamicCode
Analysis
Real-time Security Testing
SoftwareSecurity
Requirements Analysis
ThreatModeling
Security Architecture
DesignReviews
Security Testing
Penetration Testing
Vulnerability Scanning
Coding Integration ProductionQA
Scope of Software Security Scans with Fortify
“Shift Left” Creates the Environment to Support Frequent Releases as Well as Faster Delivery
Continuous Delivery of Business Value with Fortify WHITE PAPER
4
SURVEY OF SOFTWARE SECURITY OPERATIONS AT LEADING COMPANIESTo understand how leading enterprises are coping with the demands of continuous software delivery, market analyst Mainstay conducted in-depth interviews with application security leaders from a diverse set of companies that adopted products and services from Fortify. Mainstay supplemented these interviews with an online survey to develop an even broader portrait of the challenges that software development and security departments face in today’s fast-paced environment.
Among the companies participating in the software security survey were:
• One of the world’s largest financial services holding companies.
• Two of the world’s largest multinational oil and gas companies
• Global peer-to-peer lending and online trading platform company
• A provider of online investing services for institutions
• One of the world’s largest banks with operations in over 50 countries
The survey looked at five critical aspects in the software security assurance process and evaluated how the adoption of Fortify impacted each one:
• Scan Setup. Ease and speed in setting up scans; how well security tools and processes are integrated with development environment
• Scan Performance. Speed of scans and the number of vulnerabilities found
• Triaging. How effectively vulnerabilities are prioritized and the number of false positives identified; ability to prioritize by criticality; impact of Fortify on Mean Time to Triage (MTTT)
• Remediation. Number of vulnerabilities requiring fixing; remediation efficiency and speed; reduction in repeat vulnerabilities; impact of Fortify on Mean Time to Remediate (MTTR)
• Scalability. Our study also looked at how organizations are deploying Fortify to flexibly scale their security processes to scan and remediate significantly more applications in less time. Metrics include the quantity of apps scanned, scan cycles performed, and developer issues avoided at the source during coding.
The following sections discuss the results of the survey.
• Ease• Speed• Readiness/integration
with developmentenvironments
• Speed• Number of
vulnerabilities identified
• Number of vulnerabilities to fix
• Speed of fixing• Prioritize by
address critical vulnerabilities first
• Number of apps• Number of scan cycles• Developer issues
avoided at source during coding
• Speed• Number of false
positives identified• Prioritizing by
criticality
Setting Up Scans Performing Scans Triaging Remediating Process Scalability
• Ease• Speed• Readiness/integration
with developmentenvironments
• Speed• Number of
vulnerabilities identified
• Number of vulnerabilities to fix
• Speed of fixing• Prioritize by
address critical vulnerabilities first
• Number of apps• Number of scan cycles• Developer issues
avoided at source during coding
• Speed• Number of false
positives identified• Prioritizing by
criticality
Setting Up Scans Performing Scans Triaging Remediating Process Scalability
• Ease• Speed• Readiness/integration
with developmentenvironments
• Speed• Number of
vulnerabilities identified
• Number of vulnerabilities to fix
• Speed of fixing• Prioritize by
address critical vulnerabilities first
• Number of apps• Number of scan cycles• Developer issues
avoided at source during coding
• Speed• Number of false
positives identified• Prioritizing by
criticality
Setting Up Scans Performing Scans Triaging Remediating Process Scalability
• Ease• Speed• Readiness/integration
with developmentenvironments
• Speed• Number of
vulnerabilities identified
• Number of vulnerabilities to fix
• Speed of fixing• Prioritize by
address critical vulnerabilities first
• Number of apps• Number of scan cycles• Developer issues
avoided at source during coding
• Speed• Number of false
positives identified• Prioritizing by
criticality
Setting Up Scans Performing Scans Triaging Remediating Process Scalability
• Ease• Speed• Readiness/integration
with developmentenvironments
• Speed• Number of
vulnerabilities identified
• Number of vulnerabilities to fix
• Speed of fixing• Prioritize by
address critical vulnerabilities first
• Number of apps• Number of scan cycles• Developer issues
avoided at source during coding
• Speed• Number of false
positives identified• Prioritizing by
criticality
Setting Up Scans Performing Scans Triaging Remediating Process Scalability
WHY FORTIFY
Of the companies surveyed, 54% said that Fortify was their first choice for application security software before later deciding to implement Fortify. Their top three reasons for choosing Fortify were:
• Solution flexibility
• Greater coverage of different programming languages and third-party code
• Better ability to find and fix vulnerabilities
Continuous Delivery of Business Value with Fortify WHITE PAPER
5
KEY FINDING: FORTIFY PROVIDES FASTER, MORE EFFECTIVE SOFTWARE SECURITY ASSURANCE
Faster Scan Setups
In a continuous delivery environment, development teams must move quickly to plan and execute security scans. However, given the wide variety of programming languages and code components commonly found in a modern development environment, it can be a slow process to assemble the right security tools — and the right people and expertise — for the job. Before moving to Fortify, fewer than half of the organizations in our survey could accommodate the requirements of fast-release cycles (weekly).
The Fortify platform provided coverage and integration across a broad range of development environments and languages, eliminating the need for multiple point tools and the experts necessary to operate them. On average, companies replaced about 10 tools with a single Fortify solution. This allowed organizations to streamline their software security environment, reduce complexity and improve operational efficiencies. Customers believed this offers the potential to lower the overall cost involved in software security licenses and maintenance.
LESS TIME SCANNING, MORE TIME ENHANCING APPS
Scanning within an integrated development environment (IDE) can take several hours and add 25% or more to development overhead. To speed the process, one Fortify customer created a centralized Hadoop repository where developers can upload code and run scans in minutes. As a result, developers avoid getting bogged down by administrative and security tasks and now have more time to focus on improving the software. The customer considers this to be a huge competitive advantage in an increasingly software-driven world.
Fewer Security Tools Needed
Before Fortify After Fortify
$17.5K
0
$5K
$10K
$15K
$20K
$2K
89%reduction
SSA
Fee
Savi
ngs
10Customers replaced 10 different point tools with Fortify, saving on integration and set-up efforts.
1
Number ofSoftwareSecurity
Tools
Faster Setups Allows More Frequent Releases
Before Fortify After FortifySurvey Finding: Organizations were able to increase their ability to do weekly, monthly or quarterly releases with the same amount of resources.
Percentage of companies that could support monthly or weekly release cadences
35%100%
Increasing adoption of agile environments is driving the demand for tighter process integration across the develop- ment lifecycle. Organizations that moved to the Fortify environment — which provides tools and plugins to simplify integration with existing development environments — could create fast, automated processes for uploading code, running scans, and incorporating security checks into each phase of the development cycle.
In fact, the survey found that the percentage of customers who could improve their release frequencies — from annual or quarterly to monthly, weekly, or even daily releases — increased significantly. Whereas only 35% of the respondents could do monthly or weekly releases before adopting Fortify, nearly all respondents said they could handle accelerate release schedules after adopting Fortify’s speed-enhancing rules engines, templates, and triaging technologies.
Continuous Delivery of Business Value with Fortify WHITE PAPER
6
More Efficient Scanning
Most companies focus on combatting the top 10 common critical vulnerabilities that impact their organization (or application security landscape). For the companies surveyed in 2017, these included cross-site scripting (XSS), SQL injection, broken authentication, cross-site request forgery, and security misconfigurations.
More than half of survey respondents reported that Fortify was particularly effective in finding these high-risk vulnerabilities early in the development lifecycle, when they can be remediated more easily and cheaply.6 Tools such as Fortify Security Assistant, for example, enabled developers to identify vulnerabilities in real time while they are writing code.
Overall, companies using Fortify Static Code Analyzer found they could uncover tens of thousands of previously unidentified vulnerabilities. In addition, respondents said they could run the scans in a significantly shorter amount of time — from several days to just a few hours or even minutes — freeing developers to focus more time on what they do best: writing high-quality code and not waiting for scans.
6
Twice as Many True Vulnerabilities Found…
Before Fortify After Fortify
$17.5K
0
$5K
$10K
$15K
$20K
$2K
89%reduction
SSA
Fee
Savi
ngs
Customers reported that the number of legitimate vulnera-bilities found with Fortify was double that of other software vendors.
Numberof True
VulnerabilitiesFound2X
…With Significantly Faster Scans
Before Fortify After Fortify
$17.5K
0
$5K
$10K
$15K
$20K
$2K
89%reduction
SSA
Fee
Savi
ngs
Customers reported that scanning with Fortify was 10–15 times faster than with other software vendors.
Speed of Scans
10–15X
WHAT TYPES OF VULNERABILITIES MATTER?
In our survey, most customers were concerned not just with common vulnerabilities like cross-site scripting and SQL injections, but were also worried about data breaches and the consequences that ensued, which most rated as one of their top security concerns.
Continuous Delivery of Business Value with Fortify WHITE PAPER
7
Better Triaging, Fewer False Positives
Survey participants were attracted to Fortify’s unique ability to dig through large sets of vulnerabilities, identify those vulnerabilities that are meaningful to the organization, and quickly separate false positives and low-risk issues from serious flaws, significantly reducing mean time to triage (MTT).
Many of the companies augmented their triaging routines by factoring in the latest industry intelligence and trends, and by connecting static and dynamic analyses. Several companies regularly tapped experts from Fortify to design and execute these time-saving triaging protocols. One leading data-analytics company, for example, routinely uploads code to Fortify on Demand to scan, then conducts a joint review and triaging session with the technical account manager before starting remediation.
Before Fortify After Fortify
$17.5K
0
$5K
$10K
$15K
$20K
$2K
89%reduction
SSA
Fee
Savi
ngs
Customers reported that the number of false positives were reduced by up to 95% with Fortify on Demand managed services offering.
Reduction in False
Positives95%
Fewer False Positives
Improved Remediation Efforts
Survey respondents repeatedly stressed the importance of finding vulnerabilities early in the development lifecycle, noting that it took nearly 100-times more effort to remediate security flaws if they’re found after software has gone into production versus during the coding process. Vulnerabilities found during quality assurance testing is less expensive to remediate but still takes about 10-times more effort and time to fix compared to the coding phase.
On average organizations reported they could complete triaging and remediation tasks about 10-times faster with Fortify — from 20 days per application to just one to two days. Again, the time saved could be redirected to enhancing the software in ways that made it more appealing to end users.
Before Fortify After Fortify
Customers reported that, with Fortify, they are able to speed up the triaging and remediation process.
20 daysper app to triage and remediate
1–2 daysper app to triage and remediate
10xFaster
Triaging and Remediation
Faster Remediation
FALSE POSITIVES CAN SLOW YOU DOWN
A leading financial institution reported that scans for a large application could uncover as many as 50,000 vulnerabilities, of which 60% could consist of time-wasting false positives, flaws the organization did not deem important, or vulnerabilities that could be sorted into groups for more efficient remediation. Using Fortify’s software and managed services, the institution avoided false positives and leveraged insights that improved triaging and remediation, reducing workloads significantly. Noted one IT executive: “The only way to scale is by eliminating false positives.”
Continuous Delivery of Business Value with Fortify WHITE PAPER
8
KEY FINDING: FORTIFY’S SCALABILITY DRIVES CONTINUOUS DELIVERY
As the number of applications continues to grow, organizations need to scale their software security programs to avoid delays in delivering releases and updates. Companies in the survey consistently identified a set of obstacles to achieving process scalability. These included:
• Disparate point solutions
• Manual processes/lack of automation
• Poor identification of vulnerabilities
• Large amount of false positives
• Lack of access to security expertise
When organizations combined Fortify solutions with its managed services offering, they could transform software security assurance into a fully scalable and repeatable process capable of managing the increasing operational demands of enterprise-level development organizations.8
What does true scalability look like? Before adopting Fortify, one customer in the survey could complete about 30–50 scans per quarter, covering about 25 applications. Since implementing Fortify, it can complete 300 scans covering 75 applications — a 30X increase in speed and capacity.
Before Fortify After Fortify
Customers reported that the number of false positives were reduced by up to 95% with Fortify and managed services support.
30–50 scans covering25 apps
300 scans covering75 apps
30X
More Scanning, More Apps
Before Fortify After Fortify
Customers reported seeing a 40% reduction in repeat vulnerabilities, thus creating high-quality and secured applications.
40%Reduction in
Vulnerabilities
Fewer Repeat Vulnerabilities
Before Fortify After Fortify
Survey Finding: Fortify customers expect to double the number of applications scanned in the future.
2X
X
Scaling Up for the Future
Continuous Delivery of Business Value with Fortify WHITE PAPER
9
KEY FINDING: FORTIFY ENABLES FASTER TIME TO MARKET
When organizations used Fortify to accelerate and improve the quality of their software security testing and remediation, they significantly reduced the length of their software development lifecycles, helping teams throughout the organization meet rapid-release deadlines. As illustrated below, before adopting Fortify, organizations faced longer testing timelines — the result of less-frequent and later-cycle scanning and remediation efforts. Respondents reported that late-cycle security “surprises” could easily threaten market launches.
With Fortify, organizations can scan code, find and fix vulnerabilities in frequent iterations starting early in the lifecycle, and leverage advanced triaging techniques to shrink cycles even further. The result: A greater number of relevant vulnerabilities are uncovered and remediated earlier, and tail-end surprises are minimized. Furthermore, repeat vulnerabilities are progressively reduced because developers learn to code more securely, resulting in cleaner and more secure code in each future cycle.
Num
ber o
f Vul
nera
bilit
ies
Foun
d
Time Time
Scalability and Time to Market Acceleration 30X More
2X MoreVulnerabilities Found
MoreVulnerabilities Remediated10X Faster
10–15X Faster Scans
95% Fewer False Positives
Effort PeaksHigh Risk
Rare Release Events“Waterfall Methodology”
Smoother EffortLess Risk
Frequent Release Events“Agile Methodology”
Without Fortify With Fortify
Faster Time to Market with Fortify
KEY FINDING: FORTIFY IMPROVES MANAGEMENT OF EXTENDED DEVELOPMENT ECOSYSTEMS
Managing Third-Party Developers
Many organizations today supplement their in-house developers with third-party coding contractors. Operationalizing the software security process to include these external teams, however, can be a complex challenge for development organizations.
Several of the companies we studied are using Fortify on Demand to extend security testing and quality control to third party developers. Some have created innovative “pay for performance” programs that enabled companies to adjust fees paid to outsourcing partners based on the “cleanliness” of the code delivered. The result: improved product quality and better value for the money spent on outside vendors.
Continuous Delivery of Business Value with Fortify WHITE PAPER
10
Simplify and reduce SSA set-up time
Scan faster
Find more vulnerabilities
Triage and audit faster
Reduce number of false positives
Reduce remediation effort
Avoid repeat vulnerabilties
10 point tools
1 to 3 weeks per app
Thousands per app
1 to 2 weeks per app
1,000 to 50,000 per app
3 to 4 weeks
Repeat vulnerabilities common
Single end-to-end tool
A few hours to 1 day
At least 2X more true vulnerabilities found
1 to 2 days
10s to 100s, 95% reduction
1 to 2 weeks
Repeat vulnerabilities reduced by 40%
Before FortifyBenefits After Fortify
Scalability 30 to 50 scans covering25 apps per quarter
300 scans covering75 apps per quarter
Summary of Operational Improvements from Fortify
EMPOWERING CONTINUOUS DELIVERY
Mainstay’s previous research identified Fortify as one of the leaders in helping organizations find more vulnerabilities, and doing so earlier in the software development lifecycle. The current survey clearly confirmed this earlier conclusion — with customers reporting they found twice as many relevant vulnerabilities with Fortify compared to competing solutions.
However, in this survey, organizations pointed to additional benefits that were equally, if not more, critical to success. These included Fortify’s ability to produce fewer false positives, and its ability to provide rich insights and correlations to efficiently remediate the remaining valid vulnerabilities. Together these capabilities are giving organizations the means to support their expanding development environments and significantly faster release cadences.
BENEFIT SUMMARYThe figure below summarizes the range of benefits that organizations can achieve by adopting Fortify. In addition to the operational improvements, many of the organizations found that Fortify enabled them to:
• Accelerate application time to market
• Reduce disaster recovery and data breach costs
• Get better value for services from third-party development vendors
TEAMING WITH FORTIFY FOR GREATER ASSURANCE
To realize the full potential of their SSA programs, organizations augmented their Fortify solutions with managed services and resources from Fortify’s professional services team. These include best practices, metrics, and templates designed to ensure a predictable and measurable software security process.
Continuous Delivery of Business Value with Fortify WHITE PAPER
11
THE WAY FORWARDFor companies that leverage software to compete, the ability to rapidly develop and update applications has become a strategic necessity. Application development teams are addressing this demand for continuous software delivery by moving from annual and quarterly releases to monthly, weekly and even daily releases.
For software security teams, this translates into a set of challenges beyond just uncovering as many vulnerabilities as possible, as early as possible. To sustain fast-paced continuous delivery environments and ever-growing volumes of applications, security teams will need to introduce more automation and achieve even greater levels of operational efficiency.
In this survey of leading companies, we found that Fortify is changing the game for development and security teams. Using Fortify’s end-to-end application security solutions, organizations can test application code and remediate vulnerabilities faster and more effectively than ever before. Driving the speed and performance boost is a new generation of triaging tools and technologies that virtually eliminate false-positives and isolate valid vulnerabilities for swift remediation.
Going forward, release cadences will only get faster, forcing IT to condense development cycles even more. It is a trend that will compel greater numbers of organizations to adopt next-generation security assurance technologies that can scale exponentially and ensure continuous delivery as the business’s reliance on software grows. In this new era, Fortify will continue to innovate and help organizations keep pace with high-performance application security solutions and services.
For more information about Fortify, visit fortify.com.
ENDNOTES
1 When automotive manufacturer Tesla discovers an issue with its cars, it delivers the software directly to the owner via a download the owner initiates in the car, saving Tesla millions of dollars. Traditional automobiles, by contrast, require expensive physical recalls when an engineering or manufacturing issue is discovered.
2 “Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013.
3 The average development organization uses as many as 10 security testing and remediation tools.
4 This current survey builds on earlier studies of the business impact of Fortify solutions. See: “Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions,” Mainstay, 2010 (updated 2013). http://h30528.www3.hp.com/Security/Fortify_Mainstay_ROI_Study.pdf
5 “Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013.
6 A leading bank reported that a scan for a large application could throw up as much as 50,000 vulnerabilities.7 Fortify’s more than 50,000 pre-defined rules across several programming languages contributed to finding more vulnerabilities, companies said.8 A typical Fortify on Demand environment can comprise about 400 developers and 75 applications built using Java (80%), .NET (12%) and Mobile (8%).9“Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013.
Sponsored by:
Research and analysis for this study was conducted by Mainstay, an independent consulting firm that has performed over 300 studies for
leading information technology providers including Cisco, Oracle, SAP, Microsoft, Dell, Lexmark, HP, EMC and NetApp.
This case study was based on interviews with security executives currently using SSA solutions. Information contained in the publication has been obtained
from sources considered reliable, but is not warranted by Mainstay.
Copyright © 2017 Mainstay.
Mainstaywww.mainstaycompany.com
2929 Campus Drive, Suite 150 San Mateo, CA, 94405
p. 650.638.0575f. 650.638.0578