The financial benefits of finding and fixing defects throughout the software development life cycle (SDLC), starting at the very beginning, ought to make doing it a no-brainer. It is both easier and cheaper. One should build secure software from the ground up.
[...] The findings of a 2016 Forrester Research study call to mind an ancient proverb: A stitch in time saves nine. Or, in the case of software development, fixing defects early in the SDLC could reduce remediation costs by a factor of anywhere from 5 to 15.
The study set a baseline example of 5 hours of work to fix a defect in the coding/development stage. Finding and fixing that same defect in the final testing phase would take 5–7 times longer. And waiting until after the product was on the market to discover and fix the same defect would take even longer and cost 10–15 times more.
That doesn't include the potential cost of damages from a bad guy discovering the defect first and exploiting it to attack users.
And to the frequently stated worry that ongoing security testing creates intolerable delays in time to market, Forrester found the opposite: that it cuts time to market by 25%.
Source: https://www.helpnetsecurity.com/2018/05/08/build-secure-software/
(Score: 2) by Gaaark on Tuesday May 08, @08:08PM
I'd say tell it to MS, but I don't think they realise what a defect or security is.
(Score: 2) by turgid on Tuesday May 08, @08:37PM
I thought the whole Lean/Agile thing was old hat now and we were back to Wild West development mixed with Waterfall because we're Real Men(TM)?
(Score: 2) by MichaelDavidCrawford on Tuesday May 08, @08:40PM
I've worked for lots of shops where QA didn't start until the product was feature-complete
That those products were always ridden with bugs got me into automated testing
(Score: 0) by Anonymous Coward on Tuesday May 08, @08:48PM
The gist of the article is that it is usually cheaper to prevent an expensive problem before it occurs than it is to deal with the fallout afterwards. This is generally good sense and applies to almost any kind of problem that you might face. Implicit in this is a risk management factor: a problem may be expensive but if it's sufficiently unlikely to actually happen then it may not actually make sense to bother with prevention.
But security problems are rarely an example of this, because security failures are usually not expensive problems. "Security evangelists" (a lovely term from the article that sums up the attitude of these people) assume the cost of failure is so dire that literally any possible thing that you can do to prevent a security problem is money well spent and worth doing at all costs. Like temporarily losing control of your credit account will condemn your soul to eternal damnation or something.