Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Build Security Into Software Up Front: Believe It or Not, It's Cheaper and Faster

posted by janrinok on Tuesday May 08 2018, @07:37PM   Printer-friendly
from the obligatory-car-analogy dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

The financial benefits of finding and fixing defects throughout the software development life cycle (SDLC), starting at the very beginning, ought to make doing it a no-brainer. It is both easier and cheaper. One should build secure software from the ground up.

[...] The findings of a 2016 Forrester Research study call to mind an ancient proverb: A stitch in time saves nine. Or, in the case of software development, fixing defects early in the SDLC could reduce remediation costs by a factor of anywhere from 5 to 15.

The study set a baseline example of 5 hours of work to fix a defect in the coding/development stage. Finding and fixing that same defect in the final testing phase would take 5–7 times longer. And waiting until after the product was on the market to discover and fix the same defect would take even longer and cost 10–15 times more.

That doesn't include the potential cost of damages from a bad guy discovering the defect first and exploiting it to attack users.

And to the frequently stated worry that ongoing security testing creates intolerable delays in time to market, Forrester found the opposite: that it cuts time to market by 25%.

Hat tip to the old slashcode crew who left us some very good tools for doing exactly this.

Source: https://www.helpnetsecurity.com/2018/05/08/build-secure-software/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Build Security Into Software Up Front: Believe It or Not, It's Cheaper and Faster | Log In/Create an Account | Top | 20 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by stretch611 on Wednesday May 09 2018, @12:09AM

    by stretch611 (6199) on Wednesday May 09 2018, @12:09AM (#677257)

    While I agree that is easier and better to fix things before deployment, that is not how business sees it. Especially thanks to the short term thinking of wall street of "cut costs now so I can make a quick buck before I drop your stock."

    Actuaries tell the business not to care about security. It is cheaper for businesses to ignore it because likely they will not be found out and the consequences are minimal even if they are caught. Look at equifax... a year ago they lost data on 145 million people. Oh, I'm sure they will be forced to pay an insignificant fine... but far less than they should and surely not a deterrent to their bad business practices. They will probably get hit with a class action lawsuit as well... but will probably be settled with a minor financial hit payable to the lawyers and the people who lost their identity information will get the scam of "Identity Monitoring" for the next year.

    --
    Now with 5 covid vaccine shots/boosters altering my DNA :P
    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3