Diversity is generally considered a good thing, and for good reason. Monoculture, Monochrome, Monochromatic and monolithic everything ranges from boring (and therefore monotonous) to unhealthy… dangerous.
However, it may not matter as much as what is the most effective and efficient way to build secure software. One of the latest industry trends documented by the analytics firm Gartner is “Key Trends in Cybersecurity in 2022” According to the report, 75% of security and risk management leaders (up from 29% two years ago) are seeking ways to reduce the variety of vendors they use to provide software security tools and services “driven by the need to reduce complexity, leverage commonality, reduce management overhead, and deliver more effective security.”
To be more specific, they’re looking for something simpler, cheaper, and better.
The concept of integration is not new. experts for many years The dangers of “tool proliferation” Multiple surveys show that organizations are running between 25 and 49 security tools from as many as 10 different vendors.
At first, having multiple tools doing the same job is almost certainly an overkill. Beyond that, too many tools can overwhelm your development team by generating too many warnings. Alerts become background noise and are ignored. This is contrary to intent. Instead of improving security, using multiple tools weakens it.
Similar thinking is being applied today in what might be called “vendor sprawl.” Or as a more general cliché? It’s called “too many cooks” syndrome.
The reality is that systems, interfaces, and tools from different vendors don’t always work well together. Even if some of these tools are considered best-in-class. If not, organizations will need to hire and train staff to manage multiple incompatibilities.
Gartner points out that most organizations cannot afford this kind of complex management. According to the report, “The technical security staff required to effectively integrate a leading portfolio of security products is not available to most organizations.”
So the consolidation trend clearly has potential payoffs. This is especially true in a weakening economy where numerous financial experts are warning of a recession.
In practice, most people make their major purchases from a single supplier. You are not buying a car with one brand of engine, another brand of brakes, and another brand of infotainment system. No single brand may offer best-in-class products across all systems or components, but buyers choose based on what they believe is most important. These days, better mileage and longevity can easily trump a comfortable seat or set of luxury features.
However, there are also potential risks. Another cliché? We warn you about the dangers of putting all your eggs in one basket. Even financial advisors talk about it constantly, telling their clients to keep a diversified portfolio so that they can balance their risks. The collapse of one investment does not erase the entire nest egg.
So, for any organization looking to consolidate with one or two vendors, the message is not to give up on the idea, but to do it very carefully. In most cases, long-term contracts will allow you to live with that decision for several years. Making the wrong choice can lead to long-term headaches.
And this leads to the main question. What’s the best way to research potential security vendors?
Start with your portfolio. If you intend to use products and services from a single vendor, it is important that the vendor meets multiple security requirements. One of the so-called “must-have-three” automated tools like Static Application Security Testing (SAST) is not enough. The other two, Software Configuration Analysis (SCA) and Dynamic Application Security Testing (DAST), are more of an add-on and are fries with hamburgers.
To bring up another image, if there are any weak links in the chain, the whole chain is weak, which is toxic to the software development lifecycle where doing the right tests at the right time is the only way to ensure that security is built in during hyperdrive development speeds. Also keep in mind that software risks are business risks.
It demands an open platform. Consolidation is not an overnight event where you turn off six switches and leave one on. According to Jim Ivers, vice president of marketing for Synopsys Software Integrity Group, vendor consolidation is “like changing a tire on a moving vehicle.” To do the software security version of these types of switches, you need a platform that can leverage your existing security testing tools to simplify the transition. Without it there would be test gaps–exactly what you don’t want.
Check stability and longevity. All potential vendors will be partners for a while. Do you have a history of evolving your portfolio to keep pace with rapidly evolving development technologies and threats?
In short, integration can be good or bad depending on how it is done. So, to stay on the good side, spend your time in a way that helps build trust in your software.
If you need help, Synopsys Software Integrity Group meets or exceeds our portfolio, platform, reliability and longevity standards, and we’re not the only company saying that. Gartner ranks Synopsys 7 years in a row Magic Quadrant for Application Security Testing. Visit us to learn more. here.