Re: ROI for secure software engineering

From: securityat_private
Date: Tue Feb 04 2003 - 12:02:54 PST

Next message: Konstantin Rozinov: "RE: malicious code"

Previous message: Artem Frolov: "ROI for secure software engineering"
In reply to: Artem Frolov: "ROI for secure software engineering"
Next in thread: Pete Lindstrom: "Re: ROI for secure software engineering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Let's start by saying that you will have to do (at least) two calculations

1) Return On Security Investment (ROSI):  This will focus on security
incidences, hacking, etc... (Some formulas are included in "Information
Security Management Handbook, 4th Edition" Tipton & Krause)

2) The money that will be saved on maintenance and general development costs.

I will only discuss the second.  It is estimated that fixing software bugs
costs more than eight times as much to fix in the post-release/maintenance
phase as they do in the design phase.  All security anomalies are
classified as "bugs", because it is not how the software is supposed to
behave.

By implementing secure/best-practice coding standards, investing in
developer education and software process (all of which are good secure
coding practices), you are essentially going to improve the overall
quality of your code, not just the security aspect.

Look through your database of past software projects and determine how
much developer time (read: Money) is being spent on maintenance, bug fixes
and security fixes.  Look at the classifications of these anomalies and
make an informed decision of what you can expect to avoid during the next
release or project.  You can get a rough estimate of the savings based on
that.

Good Luck,

Ryan

**********
* Pablowe - Writing the software that lets you write software
* http://www.pablowe.net/
**********

> Hello
>
> I am looking for methods to calculate return on investment in secure
> software  engineering practices. Since it is impossible to create
> absolutely secure  software (let alone define what is absolutely secure)
> it would be good to  know how much to spend for developer education,
> code reviews and so on, to  reach some kind of break-even point.
>
> I found many sites on the net which cover ROI to the application
> security, but  none dedicated to the finance of the secure software
> engineering. If you know  some links, please, share your knowledge.
>
> Thanks
>
> --
>  Artem Frolov <frolovat_private>

Next message: Konstantin Rozinov: "RE: malicious code"
Previous message: Artem Frolov: "ROI for secure software engineering"
In reply to: Artem Frolov: "ROI for secure software engineering"
Next in thread: Pete Lindstrom: "Re: ROI for secure software engineering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 14:52:07 PST