WhiteHat Security’s Jeremiah Grossman just put up a blog post titled “Mythbusting: Secure Code is Less Expensive to Develop” In it he looks at the costs required to fix the vulnerabilities in an “average” web application.
This is interesting analysis, but should probably be expanded to address more types of vulnerabilities and to look at how vulnerabilities cluster in applications.
If you get your fundamental coding idioms wrong, you’re going to end up with a whole bunch of XSS or SQLi vulnerabilities. Fixing the first one might take a couple of hours (environment set up, tracking down the issue, testing the fix), but fixing vulnerability 1+N is pretty cheap because you just have to go to the next vulnerability and change the code. Rinse and repeat. It isn’t fun work, but at least it is predictable to schedule. Project managers love this.
Business logic issues are a lot more variable to fix. It could be as simple as adding a permissions check before allowing data access or it could require you to change the application requirements and then those changes have to flow down through the development process. Project managers like these less because they could take a lot or a little. Uncertainty and variability are not the project manager’s friends.
Architectural issues are the most variable and tend to start large and get enormous with regard to the level of effort required for the fix. I worked on one system where a single vulnerability (weakness in the way authentication worked) required a multi-year change control effort. Yikes! Needless to say, project managers (and line of business managers, executives, boards of directors…) like these the least.
I like the idea of economically modeling remediation efforts, and I think the model should be expanded to look at the mix of vulnerabilities found in applications as well as the mix of applications that organizations have.
I gave a talk about Vulnerability Management in an Application Security World at OWASP Minneapolis/St. Paul a while back that is up on Google Video. We talk about some of the economics surrounding fixing identified vulnerabilities in there a bit.
dan _at_ denimgroup.com