No customer wants to knowingly buy a product or service with security flaws. And when connectivity and code become ubiquitous parts of these products and services, secure products require application security. It’s no surprise, then, that we project that the application security market will grow to $12.9 billion by 2025. Attackers understand the shift to software well — per Forrester data, 35% of external attacks were carried out using a software vulnerability exploit, and 32% used an application exploit. In response, implementing application security products and services is the number one tactical priority for security decision-makers from our recent Forrester Analytics survey. Whether your focus is on B2C or B2B, securing what you sell is the only way to earn — and keep — the trust of your customers.

Start To Secure Products Before The Software Development Lifecycle Begins

Forrester’s new product security research portfolio aligns CISOs with the Product Marketing and Management (PMM) Model. To help CISOs enter often uncharted — and incredibly different — waters, our approach overlays exactly which security activities should occur within each stage of the PMM Model, giving security leaders the ability to integrate before a traditional software development lifecycle would begin and continue through launch to the next version of the product. CISOs who want to level up will tie themselves directly to revenue generation, and the Secure What You Sell Model provides a guide to get there. This research helps security pros:

  • Engage effectively with the PMM Model throughout the product lifecycle.
  • Establish practices that focus on securing what you sell.
  • Benchmark current application security practices.

Next Up: Deep Dives Into Collaboration, Minimum Viable Security, SBOM, And More

Our planned research will help CISOs become transformational and customer-facing leaders as they engage with product teams and interact with customers in entirely different ways. Our upcoming research will guide you on the journey to secure what you sell, including topics such as:

  • Alignment. Executing successfully requires teams to trust each other, collaborate, and engage with each other openly. Upcoming research will include the results that identify what characteristics, behaviors, and outcomes come with collaborative and effective cybersecurity and product management teams.
  • Minimum viable security. In addition to our existing definition of minimum viable security (MVS), we will examine what MVS means within each of the six phases of the Secure What You Sell Model to inform security, risk, and privacy leaders on how to tailor product security for minimum viable products.
  • Transparency. When the US government included software bills of materials (SBOMs) in the May 2021 Executive Order on Improving the Nation’s Cybersecurity, the discussion around SBOMs became frenzied. Deadlines existed for a definition, framework, and the specific software it applied to. This took SBOM from “coming soon” to “here now” in light speed. Sales cycles will be held up and deals will be lost due to SBOMs or a lack thereof. Soon, we will have more content to help security leaders frame SBOMs in product security terms so that their business doesn’t suffer.
  • Technology evaluation. Product security requires more than a successful strategy and alignment. Protecting products and services also requires technology. Future Forrester Wave™ evaluations in 2022 will include a look at bot management and web application firewalls.