Independent Software Vendors (ISV)

Industry Situation

Many organizations are demanding that software vendors deliver products that are inherently secure and free of security vulnerabilities. Large ISVs, such as Oracle, Adobe, and Intuit started analyzing their products for security vulnerabilities several years ago. These companies understood the necessity to deliver not only functioning products, but also secure products, that would not be the cause of security breaches. Over the last three years, more ISVs, ranging from large organizations, to very small and specialized ISVs have begun licensing source code analysis technology to scan their code bases for security vulnerabilities. The result: the discovery of numerous vulnerabilities that are steadily being eliminated.

Key Challenges for ISV's

• Inherent focus on new features and not on security
• Financial organizations demanding that ISVs demonstrate the security of their software
• Increased visibility when a security breach is caused by a vulnerability in the ISV software

Key Trends and Statistics

• 75% of all breaches are due to software flaws
  - Gartner
• Over 212 MM private records were stolen between 2005-2007
  - Privacy Rights, Clearinghouse
• The number of vulnerabilities reported in major applications has increased at an average rate of 43% every year between 1995 and 2006
  - CERT
• The cost of fixing a vulnerability in development is 6% of the cost of fixing it when discovered once the software is released
  - "Software Defect Reduction Top 10 List," IEEE Computer, IEEE Computer Society

Fortify Experience

Fortify is helping numerous ISVs, including 5 of the top 7 in the US, develop more secure software. These customers use our source code analysis capabilities and our experienced services group to embed security into their development process.