The Information Protection and Business Resilience practice of KPMG in the United Kingdom is currently the largest Information Security/Cybersecurity practice of all the “Big 4” in the country and is in the process of growing further, targeting a team size of 500 by Dec 20161. IPBR does not currently offer any services related to software assurance, the only notable exception being penetration testing, a service which applies to both applications as well as infrastructures.
This document will attempt to make a case for the establishment of a Software Assurance service line within IPBR, enumerate the potential services that the service line will offer, list the relevant competencies IPBR will need to develop, recommend a go‐to‐market strategy, …show more content…
Although penetration testing is an
1 https://portal.ema.kworld.kpmg.com/Adv/SG02/go_itarc_lib/01/GlobalLeadershipPackMar14.pptx
Page 2 of 7 indispensable service that falls under the umbrella of software assurance, it is only one of the activities promoting software assurance. Penetration testing is a reactive service that has a number of limitations: Can only reveal a subset of existing software defects (due to its time‐bound nature and the finite test cases that can be realistically tried during the course of the engagement)
Will not reveal latent defects that a small configuration or code change can bring to the surface Can only assess the security of the finished product, i.e. all development activity must be concluded before the software can be subjected; any defect identified will need to return the product to the phase the defect was introduced and continue the development process from there Absence of evidence of defects during testing does not constitute conclusive proof of absence of defects
2.1.2.CESG CPA Test Lab …show more content…
4.1.2.Competition3
In contrast to the overpopulated penetration testing market, the software assurance market is considerably less populated. In the UK software assurance services is provided by a small number of large vendors and system integrators (e.g. IBM, McAfee, CGI, etc.) and small information security consulting firms (e.g. Portcullis, Security Alliance, Pentest Limited, etc.). The perceived leader in the field is Cigital, one of the strong international names, with local presence in the UK.
4.1.3.Target Services
The entire range of Software Assurance service line services can be presented to clients who are interested in software assurance; some clients will have their own software development capabilities while others, who are purchasing critical applications, might retain IPBR to perform software assurance engagements to their software vendors as part of a system acquisition due diligence.
4.1.4.Target Customers
Again, due to the ubiquity of software, all IPBR clients are potential software assurance service customers. It is suggested that, initially, clients with which IPBR has a long‐standing and strong relationship be targeted first as the sales cycle shall be shorter and easier; these clients will
This document will attempt to make a case for the establishment of a Software Assurance service line within IPBR, enumerate the potential services that the service line will offer, list the relevant competencies IPBR will need to develop, recommend a go‐to‐market strategy, …show more content…
Although penetration testing is an
1 https://portal.ema.kworld.kpmg.com/Adv/SG02/go_itarc_lib/01/GlobalLeadershipPackMar14.pptx
Page 2 of 7 indispensable service that falls under the umbrella of software assurance, it is only one of the activities promoting software assurance. Penetration testing is a reactive service that has a number of limitations: Can only reveal a subset of existing software defects (due to its time‐bound nature and the finite test cases that can be realistically tried during the course of the engagement)
Will not reveal latent defects that a small configuration or code change can bring to the surface Can only assess the security of the finished product, i.e. all development activity must be concluded before the software can be subjected; any defect identified will need to return the product to the phase the defect was introduced and continue the development process from there Absence of evidence of defects during testing does not constitute conclusive proof of absence of defects
2.1.2.CESG CPA Test Lab …show more content…
4.1.2.Competition3
In contrast to the overpopulated penetration testing market, the software assurance market is considerably less populated. In the UK software assurance services is provided by a small number of large vendors and system integrators (e.g. IBM, McAfee, CGI, etc.) and small information security consulting firms (e.g. Portcullis, Security Alliance, Pentest Limited, etc.). The perceived leader in the field is Cigital, one of the strong international names, with local presence in the UK.
4.1.3.Target Services
The entire range of Software Assurance service line services can be presented to clients who are interested in software assurance; some clients will have their own software development capabilities while others, who are purchasing critical applications, might retain IPBR to perform software assurance engagements to their software vendors as part of a system acquisition due diligence.
4.1.4.Target Customers
Again, due to the ubiquity of software, all IPBR clients are potential software assurance service customers. It is suggested that, initially, clients with which IPBR has a long‐standing and strong relationship be targeted first as the sales cycle shall be shorter and easier; these clients will