The Build vs Buy Decision

Axiomatics   ·   Tuesday, June 12th, 2018

Authorization of user access to data and applications is more important than ever – and enterprises are looking to solve this in the best way possible. That includes weighing a “Do It Yourself” in-house scenario vs. outsourcing to a qualified vendor.

When making a Build vs Buy decision for IAM and dynamic authorization, you must take into account the hidden costs of DIY, including: human costs, costs of risk, cost of technical debt, competitive losses, and opportunity costs.

Human Costs: Building and Maintaining Effective Authorization Takes Specialized Expertise

Building your own policy decision engine and writing policies on your own takes a great deal of time and resources to successfully complete. Ask of yourself and your development team: “Do I currently possess the resources and expertise to make the software better, or equally as good, than those solutions currently available?”

According to glassdoor.com, the average annual base pay for a Software Engineer is $104,463 and Senior Security Engineer Annual Salary is around $165,732.

Cost of Risk: Mistakes Are Expensive

The average cost of a data breach, according to Ponemon Institute, is $3.6M (1). Organizations without a mature approach to identity and access management see 2x more breaches and $5M more per breach in costs than those that do IAM correctly. (2)

Likelihood of Making a Mistake

If your core competency is not security development, it is very easy to leave out key features when building on your own. Broken access control is one of the Top 10 security mistakes developers make. (3)

In addition, many open source components DIY builds depend on are highly insecure. 67% of applications using open source component have vulnerabilities in those components. (4)

The modern software ecosystem has created a level of complexity that is increasingly hard to manage, and partnering with a security technology expert can help your organization keep pace with development without sacrificing security.

Cost of Technical Debt: DIY Authorization Won’t Scale With You

The cost of hard-coding security rules into APIs or microservices of applications translates into higher technical debt for two big reasons:

1. Higher code complexity
2. Pace of policy changes (means a constant need to change the code itself)
   

Higher technical debt inevitably leads to higher cost of maintenance. This could be a huge iceberg waiting to sink the project.

According to helpnetsecurity.com, 90% of the software’s TCO will be hidden in the maintenance phase. (5)

Read more about the Build vs Buy decision, including opportunity and competitive costs to consider, by downloading our infographic:

(1) https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN; (2) 4infosecurity-magazine.com/news/iam-maturity-meanshalf-the/;(3) https://www.blackducksoftware.com/sites/default/files/images/Downloads/Reports/USA/OSSRA17_Rpt_UL.pdf, (4) blackducksoftware.com/sites/default/files/images/Downloads/
Reports/USA/OSSRA17_Rpt_UL.pdf;  (5) https://www.helpnetsecurity.com/2018/03/02/secops-reality-gap/