Comments on “Mythbusting: Secure Code is Less Expensive to Develop”

WhiteHat Security’s Jeremiah Grossman just put up a blog post titled “Mythbusting: Secure Code is Less Expensive to Develop”  In it he looks at the costs required to fix the vulnerabilities in an “average” web application.

This is interesting analysis, but should probably be expanded to address more types of vulnerabilities and to look at how vulnerabilities cluster in applications.

If you get your fundamental coding idioms wrong, you’re going to end up with a whole bunch of XSS or SQLi vulnerabilities. Fixing the first one might take a couple of hours (environment set up, tracking down the issue, testing the fix), but fixing vulnerability 1+N is pretty cheap because you just have to go to the next vulnerability and change the code. Rinse and repeat. It isn’t fun work, but at least it is predictable to schedule. Project managers love this.

Business logic issues are a lot more variable to fix. It could be as simple as adding a permissions check before allowing data access or it could require you to change the application requirements and then those changes have to flow down through the development process. Project managers like these less because they could take a lot or a little. Uncertainty and variability are not the project manager’s friends.

Architectural issues are the most variable and tend to start large and get enormous with regard to the level of effort required for the fix. I worked on one system where a single vulnerability (weakness in the way authentication worked) required a multi-year change control effort. Yikes! Needless to say, project managers (and line of business managers, executives, boards of directors…) like these the least.

I like the idea of economically modeling remediation efforts, and I think the model should be expanded to look at the mix of vulnerabilities found in applications as well as the mix of applications that organizations have.

I gave a talk about Vulnerability Management in an Application Security World at OWASP Minneapolis/St. Paul a while back that is up on Google Video. We talk about some of the economics surrounding fixing identified vulnerabilities in there a bit.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

One Response to “Comments on “Mythbusting: Secure Code is Less Expensive to Develop””

  1. G

    I’m twittering this on Monday… Very interesting feedback and honestly enough, I had similar thoughts when I read through it… Great point about the different types of vulnerabilities such as business logic & architectural style vul’s – those are the ones people have no idea how to fix, or most often, even find! Guess that’s why they’re subscribed to this blog now isn’t it?

Leave a Reply

Your email address will not be published. Required fields are marked *