Insecure software will cost you

By Rob McAdam*
Friday, 05 August, 2011


Looking to save a few dollars, organisations are putting less and less consideration into security when developing software. While it may pay off in the very short term, it’s almost certain to cost businesses much, much more in the long term, with the cost of dealing with security breaches vastly outstripping the cost of developing secure software in the first place. So opines Rob McAdam, CEO of security consultancy Pure Hacking.

With my white ethical hacking hat on, every day I see the results of security reviews against systems, networks, devices and applications - you name it. In each instance I have come to the conclusion that the current lack of security understanding in software development teams has reached its tipping point. Organisations may not want to hear it, but it’s important. There is a growing lack of understanding about the security required in the development of software, whether it is developed in-house or via outsourcing.

Today I am committed to my belief that development teams may sometimes lack the understanding of the minimum security requirements for a software project. Often, they are under tremendous resource constraints and may not follow processes and technology that is necessary for secure coding and architecture in these projects.

In fact, if I was a CISO/CIO of an organisation planning to outsource software development, I would focus on adding a few lines in the outsourcing contract to ensure that the third party completed a code review/penetration test to ensure that the security of the final software solution was adequate. The contract should state simply that the vendor or developer be held accountable for remedy and potential loss.

Further, I would also like to point out that many software projects are seen as additional overhead by Boards and senior management. As a result, organisations often outsource these projects due to cost requirements.

So the million dollar question - or the hundred million dollar question, for some organisations recently - is: how do we convert the opinion that this level of preparedness is an overhead, to viewing it instead as an investment?

Perhaps the current statistics may sway the decision makers.

The average cost of identifying and fixing a software vulnerability during development is 3-8% of the cost of fixing that same issue after implementation. In other words, fixing a software vulnerability after deployment is between 12 and 33 times more costly than finding and fixing the flaw during software development. If you implement security during development, the time to fix the vulnerability is slashed from weeks to hours, repeat vulnerabilities virtually disappear, and if the open framework development methodology is fully implemented, organisations stand to save millions of dollars annually in upfront costs.

This is important as, like most things in life, I firmly believe that the costs of reworking insecure software will also rise. It now has a dollar value attached to it, and it is no longer a minor inconvenience to address security breaches. Hackers are destroying businesses.

The incidence of hacking will continue to grow, and new legislation will not be able to control it. The business public are inevitably going to query why they are being provided with an insecure software product in the first place. They will want to know how developers can justify charging them for the remediation process. Wasn’t the software meant to have been developed securely in the first place?

A path we all can take, however, is the open framework Software Assurance Maturity Model, or OpenSAMM methodology. It can help define and measure the security resilience of organisations and the software they rely on. Organisations are measuring key benefits on a range of indicators by employing these standards.

A new, non-vendor-aligned benchmark may be just what it takes to fix the software that’s already broken when we buy it.

*Rob McAdam is the founder and CEO of Pure Hacking, an Australian information security consultancy. He leads a team of consultants to undertake ethical hacking assignments and provide security risk solutions, mapping root causes of problems to increase organisations’ security.

Related Articles

Strategies for navigating Java vulnerabilities

Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...

Not all cyber risk is created equal

The key to mitigating cyber exposure lies in preventing breaches before they happen.

How AI can help businesses manage their cyber risks

Artificial intelligence can be a powerful ally in the fight against cyberthreats.


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd