Fortify Software and Mainstay Partners Survey Security Executives to Find the Real ROI of Software Security

Study Finds Software Security Assurance Savings Equals US$2.4M per Year, and Savings Increase Exponentially with Broad SSA Adoption

NEW YORK, September 13, 2010 - CSO Security Standard — Fortify Software, the market leader in Software
Security Assurance (SSA) solutions, today released the results of an in-depth
study with Mainstay Partners to find the true Return on Investment (ROI) of
software security assurance solutions at the CSO Security Standard Conference
in New York, NY. Roger Thornton, Founder & CTO of Fortify, will unveil the
results of this first-of-its-kind study during his keynote presentation at
the show, "Now Moving to the Corner Office: The Business Value of Software
Security."

After conducting and analyzing the results of executive interviews with
17 of Fortify's global customers, including Fortune 500 companies across the
financial services and government sectors, Mainstay was able to identify,
qualify and quantify the full range of benefits organizations are seeing from
their SSA investments. The survey revealed that, with baseline savings at
US$2.4M per year, companies are finding that investing in efficiency and
productivity improvements, including faster, less-costly code scanning and
vulnerability remediation, and streamlined compliance and penetration
testing, pays dividends in preventative savings.

"Not surprisingly, at a time when IT budgets are coming under closer
scrutiny, chief information security officers are being called on to justify
their software security investments from a cost-benefit perspective," said
Thornton. "We believe this study provides a good framework for the business
and financial justification of an investment in software security.
Organizations that take a program-level approach to security will not only
reduce risk, but get a much greater strategic return on software security."

"We reviewed 30 software security providers and found that, while
everyone talks about ROI, no one has really quantified the business value of
SSA," said Amir Hartman, co-founder and managing director of Mainstay
Partners. "Fortify's effort to put some real cost and time savings against an
investment in SSA is unique in the industry, and should give security
executives the language they need to communicate the value of SSA in a way
that resonates with senior IT and business leaders."

Based on the C-level interviews conducted between April and August of
this year, the study found that exponential increases in benefits are being
achieved by companies that deploy SSA in more comprehensive and innovative
ways. These advanced deployments include embedding software security controls
and best practices throughout the application development lifecycle,
extending SSA programs into critical customer-facing product areas, and
leveraging SSA to seize unique value-generating opportunities. For these
strategic companies, the benefits of application security solutions can add
up to as much as US$37M per year.

Mainstay's research also revealed that securing buy-in from senior IT
leadership, including the CIO and head of application development, is another
way to successfully deploy a high-value, strategic SSA solution. Without this
commitment, there is little likelihood that organizations can realize maximum
value from a strategic SSA deployment. To gain support from senior
leadership, about 90 percent of the executives surveyed said that proving
SSA's payback potential in the form of a business case or ROI assessment was
critical.

Other key findings among customers who had optimized their adoption of
SSA include:

    - Vulnerabilities per application reduced from 1000's to 10's
    - Average time to fix a vulnerability reduced from 1 to 2 weeks to
      1 to 2 hours
    - The percentage of repeat vulnerabilities reduced from 80% to 0%
    - Costs for compliance and penetration tests reduced from ~US$500k
      to US$250k
    - Time-to-market delays due to vulnerabilities reduced from 4+
      incidents (30 days each) to none

To learn more about this ROI study or to receive a copy of the study,
titled "Does Application Security Pay? Measuring the Business Impact of
Software Security Assurance Solutions", please go to
https://www.fortify.com/ssa-basics/why-ssa/roi_study_2010.html.

About Fortify Software, Inc.

Fortify(R)'s Software Security Assurance products and services protect
companies from the threats posed by security flaws in business-critical
software applications. Its software security suite — Fortify 360 — drives
down costs and security risks by automating key processes of developing and
deploying secure applications. Fortify Software's customers include
government agencies and FORTUNE 500 companies in a wide variety of
industries, such as financial services, healthcare, e-commerce,
telecommunications, publishing, insurance, systems integration and
information management. The company is backed by world-class teams of
software security experts and partners. More information is available at
www.fortify.com or visit our blog at blog.fortify.com.

Danielle Eccleston of Merritt Group, +1-703-390-1537, Eccleston at Merrittgrp.com, for Fortify Software