DEV Community

Cover image for AppSec and DevSecOps: part 2 - cost of a bug, cases, effectiveness assessment, ROI
Ivan Piskunov
Ivan Piskunov

Posted on

AppSec and DevSecOps: part 2 - cost of a bug, cases, effectiveness assessment, ROI

Image description

What is a bug? A little classification and essence

Software bugs have various natures that affect the software's overall functioning. The most common bugs in a web application can be classified into 5 types by their nature:

Performance bugs

Performance bugs in code may affect software's speed, stability, response time, and resource consumption. For example, if you notice a slower loading speed or response time, then it states in the requirements, it might be a performance bug.

Security bugs

Every 11 seconds , a business fall victim to a ransomware attack. According to FBI IC3 reports, the costs of cybercrimes have increased to $10.2 billion over the past five years. Therefore, security is increasingly important to users and website owners.

But here is the good news. The new study by ShiftLeft, the 2022 AppSec Progress Report, shows that only about 3% of today's flaws are reachable by attackers. So, to reduce the cost of bug fixing, it's better to hire an experienced, dedicated development team that will focus on fixing and mitigating truly attacking types of bugs.

Functional bugs

A functional bug means that some feature or the entire software fails to function as expected due to an error. The severity of such bug types depends on the feature which they impact.

Usability bugs

If the developed web application is not convenient enough, it might be usability bugs. Usability bugs make software difficult to use and negatively affect a user's experience. Such type of software errors makes your website or app over-complicated. For example , you can discover them when your users can't log in, update their profile, or can't find a shopping card. Therefore, before launching the product, it is important to run usability testing according to usability specifications and Web Content Accessibility Guidelines (WCAG) to identify and reduce the cost of such bugs.

There are five severity categories of the bugs: blocker (S1), critical (S2), major (S3), minor (S4), and low/trivial (S5).

  • Blocker (S1). Such an error may cause security breaches, data loss, or shut down applications. As a result, the product is unusable until the bug won't be fixed.

  • Critical (S2). It is an incorrect work of a core software functionality, like installation problems or failure of its primary features.

  • Major (S3). An error significantly impacts an application, while other inputs and features of the system stay functional, so it's still possible to use it. However, bugs of major severity have to be taken seriously as they can cause ripple effects and collapse of the whole system.

  • Minor (S4). Such a defect is confusing but doesn't cause any disruption of website functionality. Bugs of minor severity have minimal impact, and core functions of the product work as specified.

  • Low/Trivial (S5). A bug doesn't affect the functionality or isn't obvious. It can be a UI problem, such as incorrectly sized buttons, spelling issues, object color issues, etc.

Image description

Calculating the ROI of SAST in DevSecOps

Choosing the right Static Application Security Testing (SAST) solution can enhance software development processes, provide significant efficiencies and deliver high-quality products, while offering a very attractive ROI.

The following table is based on Google's data and the type of applications they build. It does show that 40% of their engineering time is spent on bug fixing and on a large application that amounts to $2.4 million/year.

Source Lines of Code (Generated Per Year 200,000
Average Bugs Per 1000 SLOC x 8
Number of Bugs in Code = 1,600
Average Cost to Fix a Bug x $1,500
Total Yearly Cost of Bug Fixing = $2,400,000
Year Cost of an Engineer / $150,000
Number of Engineers Consumed with Bug Fixing = 16
Engineering Team Size / 40
Percentage of Staff Used for Bug Fixing 40%

Table 1: Metrics from How Google Tests Software

Software Testing Phase Where Bugs Were Found Estimated Cost per Bug
System Testing $5,000
Integration Testing $500
Full Build $50
Unit Testing/Test-Driven Development $5

Table 2: The cost to fix bugs at Google

So, what is the return on investment given these factors? SAST decreases the volume of defects in software under development at all stages of the SDLC. A simple analysis is to reduce the number of defects from the data we have from Table 1. Given this reduction in created defects during development, we can see a significant reduction in cost:

Defect Reduction from SAST Estimated Savings
25% $600,000
15% $360,000
10% $240,000

Table 3: The potential saving by reducing defects and vulnerabilities by 25, 15 and 10%.

This simple analysis yields significant savings when average defects are reduced. Even using relatively conservative figures for a single project, there are savings in terms of hundreds of thousands of dollars. This is based solely on reduced development and testing time and doesn't account for costs to fix defects and vulnerabilities in production and deployment to customers.

Rather than just looking at the traditional cost-per-defect over time or per phase, which Jones argues is true mathematically but doesn't reflect what is seen in practice, the more revealing data is the overall ROI from pursuing higher quality. In his research, the ROI of software quality is significant but relies on the maturity of the software development organization.

Looking at Table 3, companies working on large projects with mature development processes that focus on quality and security are paradoxically removing less bugs than less mature companies – they are likely not introducing them in the first place. It's clear that defect removal alone isn't where they are saving money.

Application Size 10,000 Function Points, 1.25 MLOC
Average Quality
Defects Removed 50,400
Defects Delivered 9,800
Total Development Cost $26,540,478
Maintenance Costs 1st Year $8,000,000
Savings from High Quality $15,012,287

Table 3: Savings from a mature, quality and security focused development approach versus average organizations on a large project.

Based on Jones' research, it's clear that the ROI in security and quality is tied to maturing the development process, like DevSecOps, to reduce the number of delivered defects. These companies not only reduce their development costs, they reduce downstream maintenance costs as well.

For more specific ROI numbers for shift-left test automation, where SAST plays and important role, Forrester Research found an ROI 205% over three years, with a real dollar return of almost $7 million on a $3.3 million investment. These benefits from shift left automation included increased output per developer, decreased testing time, improved risk avoidance and bug remediation. In the Forrester Study, the tools studied removed about 20% of the bugs from the software which aligns with the direct cost avoidance savings noted in Table 3.

DevSecOps Metrics

Application Business Value (ABV)

Image description

All software assets should be categorized by their Application Business Value (ABV):

  1. Mission Critical
  2. Business Critical
  3. Business Operational
  4. Office Productivity

Calculation

ABV = Number of software assets in each category—Mission Critical, Business Critical, Business Operational, Office Productivity.

Analysis

All mission critical and business critical applications should be covered by DevSecOps practices. The Security team will set different security gates for each ABV.

Software Security Coverage (SSC)

Image description

Definition

The Software Security Coverage (SSC) metric is the total number software assets that are covered by DevSecOps. Software Assets Total (SAT) is the total number of all applications, systems and microservices (software assets) used by an organization.

Calculation

SSC = Actual number of software assets covered by DevSecOps.

SAT = The total number of all software assets used by an organization.

SSCG = Planned number (goal) of software assets to be covered by DevSecOps.

SSC-T (%) = Number of software assets covered by DevSecOps / total number of software assets.

SSC-G (%) = Number of software assets covered by DevSecOps / SSC Goal.

Analysis

Security Strategy defines the SSCG as the goal to be achieved within a specified time, such as a quarter or a year. SSC-T (%) for mission critical and business critical applications should be close to 100%. When SSC-G (%) is less than 100%, the focus is on achieving this goal. When SSC-G (%) is close to 100%, the security team needs to define the new SSCG to bring overall over time SSC-T (%) close to 100%.

[Codebase]

Source Lines of Code (SLOC)

Image description

Definition

Source Lines of Code (SLOC) is the number of lines of source code for a particular application including all modules, components, and services this application consists of.

Calculation

SLOC = Number of lines of code in the application source code repository.

Analysis

This metric represents the size of an application. SLOC is used later in this document to calculate the Security Risk Density (SRD) for a specific application.

Source Lines of Code by Language (SLOCL)

Image description
Definition

Source Lines of Code by Language (SLOCL) measures lines of code for each programming language used by an organization.

Calculation

SLOCL = Number of lines of code in the application source code repository written in a specific programming language.

Analysis

This metric shows codebase breakdown by technology and programming language. This information is used to select source code analysis tools (typically SAST) to be used by an organization.

Source Lines of Code Change (SLOCC)

Image description

Definition

Source Lines of Code Change (SLOCC) is the number of lines of code changed in the source code repository in a particular release.

Calculation

SLOCC = Number of changed (new or modified) lines of source code (measured by Count Lines of Code CLOC tool) that were brought into the main branch by merge requests during a particular release.

Analysis

This metric shows the volume of code changes. Changed source code is a potential source of new vulnerabilities. Codebases with minimum code changes are more stable from a software security perspective. Applications with a large amount of source code change will require more attention from security teams.

[Software Security Risk]

Security Technical Debt (STD)

Image description

Definition

STD is the total number of not resolved vulnerabilities in production. This metric is measured at the time when the code is released into production.

Calculation

STD = Number of vulnerabilities in production environment.

STDS = STD by Severity (critical, high, medium, low).

Analysis

STD should be zero for critical and high vulnerabilities. This metric should be getting smaller and smaller from release to release, so measuring the trend over time is important.

Mean Vulnerability Age (MVA)

Definition

Mean Vulnerability Age (MVA) is an average age of all not resolved security vulnerabilities from the time a vulnerability got checked in with a new code until the current moment when the vulnerability is not yet resolved.

Image description

Calculation

MVA = Average age across all not resolved software vulnerabilities. Individual vulnerability age is current time minus vulnerability detection time. This metric applies to vulnerabilities that have not yet been resolved.

MVAS = MVA by Severity (critical, high, medium, low).

Analysis

The goal is to minimize the age of vulnerabilities in production. This metric typically will be measured for critical and high vulnerabilities that should not be found in production and their MVA should be zero. MVA can be tracked over time to analyze progress. MVA is used to calculate Security Risk Exposure (SRE).

Security Risk Exposure (SRE)

Definition

Security Risk Exposure (SRE) is a multiple of STD with MVA.

Image description

Calculation

SRE = STD * MVA

Analysis

This metric calculates an aggregated risk that is proportionate to the number of vulnerabilities and how long these vulnerabilities are present in a production environment. This metric should not increase over time from sprint to sprint. Hence STD should be reduced over time faster than increase in MVA from sprint to sprint. This metric will be calculated and used for Critical and High severity vulnerabilities.

Security Risk Density (SRD)

Image description

Definition

SRD is measured for each application from release to release as STD per 1,000 lines of source code. It is a good indicator of software security risk at application level.

Calculation

SRD = Number of vulnerabilities that got released into production divided by the total number of lines of code. This metric applies to vulnerabilities that got into production and is best measured at the time when the code is released.

SRDS = SRD by severity

Analysis

Image description

This metric should be zero for critical and high vulnerabilities. This metric should be getting smaller and smaller from release to release, so measuring the trend over time is important.

Application Risk Score (ARS)

Definition

Application Risk Score (ARS) is calculated using a formula that considers the size of an application, the application business value and other aspects.

Calculation

Application Risk Score is calculated based on evaluation of a number of parameters which are grouped in two categories—Impact (potential impact to business in case of security breach) and Probability (likelihood of such security breach for particular application / microservice).

Below is a proposed sample split of parameters along with their weights. However, within each software delivery organization this approach could be adjusted and used as a framework.

Category Parameter Weight, %%
Impact Compliance 10%
Impact Data Type 5%
Probability Internet Access 5%
Probability Partner Network Access 10%
Impact User Profile 5%
Probability External Users 5%
Impact Client Profile Records 10%
Probability Internal Users 10%
Probability Technology Risk 10%
Impact Application Business Value 10%
Impact Core Function 10%
Probability Software Engineering Stage 10%
TOTAL 100%

In the table below, for each parameter, corresponding values and score are proposed. Score should be counted depending on specifics of application / microservice being evaluated.

Category Parameter Parameter Value Impact Value Score
Impact Compliance PCI DSS High 3
Impact Compliance HIPAA High 3
Impact Compliance N/A N/A 0
Impact Data Type Payment Cards High 3
Impact Data Type Financial Transactions Medium 2
Impact Data Type Personally Identifiable Information Low 1
Impact Data Type N/A N/A 0
Probability Internet Access Outbound High 3
Probability Internet Access Inbound Medium 2
Probability Internet Access No Access (intranet) Low 1
Probability Internet Access N/A N/A 0
Probability Partner Network Access Outbound High 3
Probability Partner Network Access Inbound Medium 2
Probability Partner Network Access VPN Low 1
Probability Partner Network Access N/A N/A 0
Impact User Profile Financial Institute High 3
Impact User Profile Legal Entity Medium 2
Impact User Profile Individual Low 1
Impact User Profile N/A N/A 0
Impact Client Profile Records > 1 000K High 3
Impact Client Profile Records > 1K < 1 000K Medium 2
Impact Client Profile Records < 1K Low 1
Impact Client Profile Records N/A N/A 0
Probability External Users > 1 000K High 3
Probability External Users > 1K < 1 000K Medium 2
Probability External Users < 1K Low 1
Probability External Users N/A N/A 0
Probability Internal Users > 1 000K High 3
Probability Internal Users > 1K < 1 000K Medium 2
Probability Internal Users < 1K Low 1
Probability Internal Users N/A N/A 0
Probability Technology Risk High High 3
Probability Technology Risk Medium Medium 2
Probability Technology Risk Low Low 1
Probability Technology Risk N/A N/A 0
Impact Application Business Value МС (Mission Critical) High 3
Impact Application Business Value BС (Business Critical) High 3
Impact Application Business Value BO (Business Operation) Medium 2
Impact Application Business Value OP (Office Productivity) Low 1
Impact Application Business Value NC (Non-Classified) Low 1
Impact Application Business Value N/A N/A 0
Impact Core Function Payments and Funds Transfer High 3
Impact Core Function Business Process Support Medium 2
Impact Core Function Decision Making High 3
Impact Core Function Data Analysis Low 1
Impact Core Function Data Transfer Medium 2
Impact Core Function N/A N/A 0
Probability Software Engineering Stage Active Development High 3
Probability Software Engineering Stage New Development High 3
Probability Software Engineering Stage Maintenance Medium 2
Probability Software Engineering Stage Retirement Low 1

To calculate the impact value for each parameter, it is required to pick the score corresponding to the parameter value from the table above. Then for each parameter the value is multiplied by the parameter's weight. Thus, Impact Score, Probability Score and the overall Application Risk Score can be calculated using the following formulas:

Image description
where:

  • IMPACT = (Compliance, Data Type, User Profile, Client Profile Records, Application Business Value, Core Function)
  • PROBABILITY = (Internet Access, Partner Network Access, External Users, Internal Users, Technology Risk, Software Engineering Stage)
  • Max Impact Score is a maximum score of 3 for each parameter in the Impact category
  • Max Probability Score is a maximum score of 3 for each parameter in the Probability category

Impact Score and Probability Score can be defined as Low/Medium/High/Critical severity using the following table:

Impact Score / Probability Score Severity
0–49% Low
50–69% Medium
70–84% High
85–100% Critical

Application Risk Severity can be defined as Low/Medium/High/Critical based on the severity of Impact Score and Probability Score using the following table:

Application Risk Severity Impact
Low Medium
Probability Low
Medium Low
High Low
Critical Medium

Analysis

This metric is used to translate the security risk for a specific application into business risk for an organization. An application can have a large number of vulnerabilities, but it may not contain any critical data or enable access to any customer data. Accordingly, business risk for such applications will be lower and ARS metric will be smaller.

Weighted Risk Index (WRI)

Definition

Weighted Risk Index (WRI) measures business risk for a portfolio of applications. For a given portfolio of applications, the overall security risk needs to take into account application risk score as a proportionate contribution of this application to the overall application portfolio risk.

Image description

Calculation

Application Portfolio WRI = WRI App 1 + WRI App 2 + WRI App 3. Application Portfolio WRI metric is a total of Application WRI numbers.

Application WRI App N = ((Multiplier-Critical * Critical-Vulnerabilities) + (Multiplier-High * High-Vulnerabilities) + (Multiplier-Medium * Medium-Vulnerabilities) + (Multiplier-Low * Low-Vulnerabilities)) * ARS. Application WRI has a multiplier for each severity and an Application Risk Score.

Analysis

This metric applies to vulnerabilities that have been detected and are in production. The metric enables organizations to measure aggregated business risk for an application portfolio for every release and track it over time. It is a business risk representation of application security risk. This metric should reduce over time.

Image description

[Security Risk Reduction]

Security Technical Debt Change (STDC)

Image description

Definition

Security Technical Debt Change (STDC) tracks changes in the production in a specific application from release to release. This metric applies to production vulnerabilities and is best measured at the time when the code is released.

Calculation

Change in number of production vulnerabilities by severity (critical, high, medium, low) during transition to next release.

Analysis

This metric should be zero for critical and high vulnerabilities, assuming that there are no critical or high vulnerabilities in production. This metric should indicate a decrease of production vulnerabilities from release to release.

Vulnerability Open Rate (VOR)

Image description

Definition

Vulnerability Open Rate (VOR) tracks how many new vulnerabilities have been identified during release. This metric is best measured at the time when the code is released into production.

Calculation

VOR = Number of new vulnerabilities that have been found within release.

VORS = VOR by severity (critical, high, medium, low).

Analysis

VOR indicates the quality of new code and code modifications from a security perspective. On the one hand this metric should be getting smaller and smaller over time, indicating that software quality is growing. On the other hand, when vulnerability detection techniques are becoming more effective, the higher VOR from release to release may indicate that a smaller number of vulnerabilities have been missed. Hence, this metric should be analyzed along with other indicators.

Vulnerability Escape Rate (VER)

Image description

Definition

Vulnerability Escape Rate (VER) tracks how many new vulnerabilities get into production. New vulnerabilities are those detected during the current sprint. This metric applies to vulnerabilities that got into production and is best measured at the time when the code is released into production.

Calculation

VER = Number of new vulnerabilities that have been detected, but not fixed and got released into production.

VERS = VER by severity (critical, high, medium, low).

Analysis

This metric should be zero for critical and high vulnerabilities. VER helps understand the effectiveness of security testing and development team ability to continuously reduce Security Technical Debt (STD). This metric should be getting smaller and smaller from release to release, so measuring the trend is important.

Vulnerability Resolved Rate (VRR)

Image description

Definition

Vulnerability Resolved Rate (VRR) tracks how many vulnerabilities have been resolved in a specific release. This metric is best measured at the time when the code is released into production.

Calculation

VRR = Number of newly detected vulnerabilities and older vulnerabilities from Security Technical Debt that have been resolved during release.

VRR = VRR by severity (critical, high, medium, low)

Analysis

This metric should be higher than VER for critical and high vulnerabilities which is an indicator that new vulnerabilities don't squeeze into production. The VRR helps understand the effectiveness of the development team's ability to continuously reduce Security Technical Debt (STD) and prevent new vulnerabilities from escaping into production. This metric should be getting higher and higher from release to release according to Technical Debt elimination strategy, so measuring the trend is important.

[Secure Engineering]

Opened To Resolved Ratio (OTRR)

Image description

Definition

Opened To Resolved Ratio (OTRR) measures the ratio between opened and resolved vulnerabilities in a release.

Calculation

OTRR % = Number of all opened vulnerabilities (newly opened and re-opened) during the release divided by the number of resolved vulnerabilities within this release.

Analysis

OTRR applies to vulnerabilities that have been detected. This metric compares the number of vulnerabilities introduced by development team during release vs their productivity in resolving known vulnerabilities. This metric should be much less than 100%, so that the team is resolving more vulnerabilities than creating. Ideally, this metric should be less than 10%.

Re-Opened To Opened Ratio (RTOR)

Image description

Definition

The ratio of re-opened to opened vulnerabilities during a particular release.

Calculation

RTOR % = Number of all re-opened vulnerabilities divided by the number of all opened vulnerabilities (including re-opened).

Analysis

The metric measured the quality of how well the vulnerabilities were fixed by developers from release to release. The metric should reduce over time.

Passed Security Gates Ratio (PSGR)

Image description

Definition

Passed Security Gates Ratio (PSGR) compares the number of scans with passed quality gates to the total number of scans (failed and passed) during release. This metric determines how often security gates pass successfully.

Calculation

PSGR % = The number of scans with passed security gates divided by total number of security scans in a particular release. Security gate is counted as passed when security policies are not violated, for example when there are no critical and high severity vulnerabilities.

PSGRP = PSGR % measured by security practice (SAST, DAST, SCA, etc.).

Security Gate Staging Matrix can be defined and used as quality criteria for security gate. This matrix can be defined as follows, for example:

Security Gate New Vulnerabilities Total Vulnerabilities
Critical High Medium
SAST 0 0
SCA 0 0
DAST 0 0

Analysis

This metric indicates overall software quality dynamics within a release. This metric ideally should be close to 100%.

[DevSecOps Speed]

Mean Time In Production (MTIP)

Image description

Definition

Mean Time In Production (MTIP) describes average length of time a vulnerability spends in production before it is remediated and fixed (removed from production environment). This metric applies to vulnerabilities that have already been resolved after they got into production. It is measured at the time when the code is released into production.

Calculation

MTIP = Duration measured in days from the time when a vulnerability got into the production environment with a certain release until the time the fixed code is deployed into the production environment as a patch or with the upcoming next release.

MTIP [Severity] = MTIP by severity (Critical, High, Medium, Low). This metric typically will be measured for critical and high vulnerabilities that by company standard should not be found in production.

Analysis

MTIP ideally should be equal to zero for critical and high vulnerabilities. If this metric is more than one Release Duration, that means (a) such vulnerabilities were not detected in several releases consequently or (b) it took much more time to fix than one Release Duration. MTIP trend is tracked over time to analyze progress.

Mean Time To Detect (MTTD)

Definition

Mean Time To Detect (MTTD) is the time it takes to detect a vulnerability after new code containing it has been checked in. This metric applies to vulnerabilities that have been detected.

Image description

Calculation

MTTD = Duration in days from the time when the new code containing vulnerability was checked in until the time this vulnerability has been detected.

Analysis

The goal is to detect vulnerabilities as early as possible and not near the end of the release. MTTD trend is tracked over time to analyze progress. MTTD needs to reach low levels to enable the software engineering Shift-Left paradigm.

MTTD should ideally not exceed 30% of Release Duration. If MTTD is longer than Release Cycle, that means that vulnerabilities escape into production and application security is deteriorating. When MTTD is less than 30% of Release Duration, vulnerabilities are identified at the beginning of development and there is sufficient time for them to be fixed within same release.

Mean Time to Resolve (MTTR)

Image description

Definition

MTTR is the average time required to resolve security defect by engineering team. This metric applies to vulnerabilities that have been resolved.

Calculation

MTTR = Duration in days from the time the vulnerability is detected to the time the vulnerability is resolved.

Analysis

The goal is to resolve defects quickly according to priority and not let unfixed defects into production. MTTR should be less than 30% of Release Duration. When MTTR is less than 30% of Release Duration, vulnerabilities identified in the middle of release will still be fixed within the same release before deploying into production. If MTTR is more than 30% of Release Duration, some vulnerabilities found in the later part of the release may not be fixed before the end of the release and they will escape into production. If MTTR is larger than Release Cycle, all new vulnerabilities escape into production and application security is not stable. MTTR trend is tracked over time to analyze progress.

[DevSecOps Performance]

Shift-Left Detection Ratio (SLDR)

Image description

Definition

Shift-Left Detection Ratio (SLDR) is a percentage of vulnerabilities detected in each environment out of the total number of vulnerabilities detected in a release.

Calculation

SLDR % = Number of vulnerabilities detected in different environments (Development, Staging, Pre-Production, Production) divided into the total number of vulnerabilities detected during release.

Analysis

SLDR indicates an ability to identify security flaws early within development lifecycle. This metric ideally should have the following values: SLDR for Development – 60%, for Staging – 30%, Pre-Production – 10%, Production – 0%.

Failed Security Pipelines Ratio (FSPR)

Image description

Definition

Failed Security Pipelines Ratio (FSPR) is a percentage of not completed security pipelines to the total number of executed security pipelines in a release.

Calculation

FSPR = Number of security pipelines with status "failed" divided by the total number of security pipelines executed during release.

Analysis

FSPR applies to security pipelines initiated during a particular release. This metric indicates overall quality of DevSecOps operations. Ideally it should be equal to zero.

Scans in Queue Time (SQT)

Image description

Definition

Scans in Queue Time (SQT) is the wait time of a scan task from the moment it is added to the queue to the time when execution of this scan starts. This metric applies to all types of security scans.

Calculation

SQT = Time when task execution starts in the pipeline minus time when this task has been added to the queue in security CI/CD pipeline.

Analysis

SQT should ideally be equal to zero and not growing over time, when more and more applications are added into DevSecOps scope.

Security Scan Time (SST)

Image description

Definition

Security Scan Time (SST) indicates how long it takes for a security scan to occur.

Calculation

SST = Duration of security scan from the time of initiation until the time of successful completion.

SST [Practice] = SST by practice (SAST, DAST, SCA, etc.).

Analysis

SST is measured in hours. This metric may serve as an indicator to add compute capacity in order to bring scan time to a reasonable duration.

Image description

Security risks contribute most to the cost

People often talk about the cost of defects, but rarely do they quantify that cost. The survey listed factors that might contribute to that cost and asked the respondents to rate them. These included:

  • Security risks
  • Severity level
  • Loss of business
  • Damage to reputation
  • Resources required to fix

Image description

While each factor contributed in some way to the overall cost, 61% of respondents said that security risks contributed the most.

The survey categorized defects into three areas: functional, performance, and security. Respondents were asked to rate the contribution of a few elements on the business impact, for each of the defect categories. These elements included:

  • Revenue
  • Brand reputation
  • Regulatory fines
  • Disruption to the team
  • PR and marketing costs

Image description

Image description

In waterfall, functional defects mainly affect revenue, while performance defects can result in regulatory fines. Security defects, however, affect both almost equally.

In agile/DevOps, security defects affect revenue and brand reputation more than anything, and these have more of an effect than do functional and performance defects.

The survey examined these three categories of defect in detail, as well as the impact of defects discovered at different stages of the lifecycle, for both waterfall and agile/DevOps scenarios.

Calculating ROI

Image description

Calculating ROI of continuous code testing should also consider other factors than just identifying and fixing defects. Here are some examples and the impact to calculating ROI:

Customer experience : User experience is a big selling point in many applications, so poor design, security or quality can doom the customer experience and cost organizations, since customers are spoiled for choice. Amazon found every 100ms of latency in their online applications costs them 1% in sales and Google found a 500ms delay in search page results dropped traffic by 20%.

Risk and liability : In critical industries, such as transportation, medical devices, industrial automation and controls, software failure can potentially cause injury and death. Consider the unintended acceleration accidents which precipitated the recall of four million Prius cars that cost Toyota $5 billion.

Compliance : When there is a breach, regulators are never far behind. Software security failures at public companies attract the attention of the Securities Exchange Commission (SEC) or Federal Trade Commission (FTC), and can have consequences for failure to manage business risks. Equifax's data breach led to $575 million in fines , Home Depot paid $200 million in another case and Capital One $190 million—and that's above and beyond the other costs and liabilities they faced.

Insurance premiums : The SolarWinds attack cost insurers more than $90 million. Cybersecurity coverage is affected by software quality, safety and security, so insurers may begin taking a closer look at DevSecOps best practices and raising rates or even denying coverage to organizations that don't measure up.

Conclusion

So, we found out that the cost of a software bugs increases multiple times on its way from design stage to release product. If an error occurs, in addition to the costs of creating a patch, this entails potential risks of product recall, reputational losses, payments for violation of laws and compensation for moral damages to users.

For companies whose main product (source of income) is software or digital service, it makes economic sense to have a staff of AppSec\DevSecOps experts in the cybersecurity team.

Proper planning of work and the use of error detection tools at early stages make it possible in the long term to reduce software support costs and gradually reduce the costs of future software development.

To evaluate the effectiveness of bugs detection programs, metrics and basic formulas for calculating return on investment are used, which gives to management board information to make the right management decisions.

Sources: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10

Top comments (0)