SoylentNews is people
SoylentNews
Submitted via IRC for TheMightyBuzzard
The financial benefits of finding and fixing defects throughout the software development life cycle (SDLC), starting at the very beginning, ought to make doing it a no-brainer. It is both easier and cheaper. One should build secure software from the ground up.
[...] The findings of a 2016 Forrester Research study call to mind an ancient proverb: A stitch in time saves nine. Or, in the case of software development, fixing defects early in the SDLC could reduce remediation costs by a factor of anywhere from 5 to 15.
The study set a baseline example of 5 hours of work to fix a defect in the coding/development stage. Finding and fixing that same defect in the final testing phase would take 5–7 times longer. And waiting until after the product was on the market to discover and fix the same defect would take even longer and cost 10–15 times more.
That doesn't include the potential cost of damages from a bad guy discovering the defect first and exploiting it to attack users.
And to the frequently stated worry that ongoing security testing creates intolerable delays in time to market, Forrester found the opposite: that it cuts time to market by 25%.
Hat tip to the old slashcode crew who left us some very good tools for doing exactly this.
Source: https://www.helpnetsecurity.com/2018/05/08/build-secure-software/
(Score: 2, Interesting) by Anonymous Coward on Tuesday May 08 2018, @08:48PM (5 children)
The gist of the article is that it is usually cheaper to prevent an expensive problem before it occurs than it is to deal with the fallout afterwards. This is generally good sense and applies to almost any kind of problem that you might face. Implicit in this is a risk management factor: a problem may be expensive but if it's sufficiently unlikely to actually happen then it may not actually make sense to bother with prevention.
But security problems are rarely an example of this, because security failures are usually not expensive problems. "Security evangelists" (a lovely term from the article that sums up the attitude of these people) assume the cost of failure is so dire that literally any possible thing that you can do to prevent a security problem is money well spent and worth doing at all costs. Like temporarily losing control of your credit account will condemn your soul to eternal damnation or something.
(Score: 3, Insightful) by stretch611 on Wednesday May 09 2018, @12:09AM
While I agree that is easier and better to fix things before deployment, that is not how business sees it. Especially thanks to the short term thinking of wall street of "cut costs now so I can make a quick buck before I drop your stock."
Actuaries tell the business not to care about security. It is cheaper for businesses to ignore it because likely they will not be found out and the consequences are minimal even if they are caught. Look at equifax... a year ago they lost data on 145 million people. Oh, I'm sure they will be forced to pay an insignificant fine... but far less than they should and surely not a deterrent to their bad business practices. They will probably get hit with a class action lawsuit as well... but will probably be settled with a minor financial hit payable to the lawyers and the people who lost their identity information will get the scam of "Identity Monitoring" for the next year.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 2) by driverless on Wednesday May 09 2018, @02:12AM
Precisely. You'd have to choose your data very carefully to be able to make an economic argument for security. The best strategy from a purely financial viewpoint is to make your product as insecure as you can possibly get away with (meaning spend as close to zero on security as you can), because on the off chance that you do get hit, a soothing press release and an offer of free credit monitoring will still cost you less. The formula to remember is "$cost_of_good_security >>> $cost_of_damage_control * $chance_of_getting_hit".
(Score: 3, Informative) by JoeMerchant on Wednesday May 09 2018, @02:58AM
It depends on your industry what the ratios are.
For the ones I've worked in, if it takes 5 man hours to find/fix in development, it might take 8 to find/fix in final test, and about 1500 to fix if we let it out "in the wild." We've got ~20 developers, ~5 testers, and an army of Quality, Regulatory, Marketing, Production and Project Management who are all available to "help out" when a problem that needs fixing makes it to the customers.
Catch it in development, the discussion is usually between 2-3 people. Catch it in final test and 4-5 people are involved. Catch it in the field and there are over 100 players that touch it in some way or another, multi-layered meetings about the meetings to ensure that it is properly addressed, reviewed, documented, trained, etc.
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Wednesday May 09 2018, @04:22PM
That's fine if they're just risking their data, but it's not fine if they're also risking mine. Don't do business with them? Not an option. In the 21st century, you need to do business with all sorts of companies, and many of them are going to hold some important data about you. It is not acceptable to just shrug off security as being not worth it.
(Score: 2) by DannyB on Wednesday May 09 2018, @06:42PM
It's even cheaper (yes, really!) to just NOT build in security at all. Living under the delusion that you can just bolt security on later. As if it is just a bullet point that you add to the sails presentation list.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.