21

What case-studies or references are available from companies who have implemented a secure development process (eg, SDL or similar) around the cost/effort involved.

Whilst each development department is likely to be a unique case, it is still important to understand roughly what the costs of a programme would be before spending a lot of time on scoping.

Some references available are this recent article which links to this Aberdeen group which looks to have some interesting information and this reference here. It's a bit academic and formula heavy, but some interesting information

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • I was going to point you to that study, one of the few I have seen quantifying secure at source. I did some analysis of here: http://www.rakkhis.com/2011/01/analysing-aberdeen-group-application.html – Rakkhi May 26 '11 at 13:47
  • Great question, I actually did some work around that a few years ago for a relatively large-ish multi-national dev shop - unfortunately, I don't have any of those nmbers anymore :(. Bottom line, as expected, it was not cheap, and only saved money in the long run because they were currently paying so much on the pentest-fix-retest-refix cycle.... – AviD Jun 05 '11 at 10:15

1 Answers1

10

Using the formulas in the book, "IT Security Metrics", you can staff your organization with application security professionals matched to the predictable number of incidents per quarter using a Poisson distribution. You could figure 100k US dollars per year for salary (doubled in most cases because of benefits and cost of business), 180k US dollars per year for 3 commercial SAST and 25k US dollars per year for 1 DAST (per person). The people and tools are very expensive. Make sure that you're not spending more than 37 percent of the assets that you are trying to protect. Remember that Veracode costs about 5-6k US dollars per app (apps in 100MB package size increments) that you send them -- and that competitor pricing is not far off from that number as well.

If you want to use an approximation, such as the ones used in regular information security, there is the Gartner-approved "6-7 percent" of total IT assets formula. For application security, you simply apply these numbers against the application development assets of an organization.

atdre
  • 18,885
  • 6
  • 58
  • 107
  • 1
    @atdre isn't the big problem the predicable number of incidents? what is that in security? You could use the Verizon data breech report but that is biased again to where Verizon / secret service has been called in. Also how do you value your assets? e.g. what is 37% of your reputation? There are some brand value reports for big companies but not for most. How did you get the 37% number anyway? – Rakkhi May 26 '11 at 15:50
  • 2
    @Rakkhi: No, it's not a problem (see my references). You use your own data. I do not believe in brand/reputation damage, especially not as "hard costs". See the Gordon-Loeb Model -- http://www.cyber.umd.edu/research/economics.html – atdre May 26 '11 at 20:29
  • 2
    There is something to be said for cumulative brand damage over multiple incidents - see some banks currently, and Sony, as examples - share price is now being hit. – Rory Alsop May 26 '11 at 23:15
  • @atre "I do not believe in brand/reputation damage, especially not as "hard costs"." Wow ok. Never heard of Anderson after one image of shredding files....Totally disagree on that point, it is the one massive reason most companies need security. Industry vertical does matter e.g. RSA incident will cost them more than Sony or TK Maxx but man.. – Rakkhi May 27 '11 at 08:39
  • 1
    @Rory: I don't believe in the stock market either – atdre May 28 '11 at 03:34
  • 1
    @atdre - we are nihilists. We believe in nothing – Rory Alsop May 28 '11 at 08:10
  • @Rakkhi so how many people have thrown their PS3s away and bought Xbox 360s because of the PSN #fail? I'm not saying you're incorrect, I'm just skeptical until I see the data (e.g. TJ Maxx actually had a better quarter after their DSS #fail than before). –  May 28 '11 at 10:42
  • @Graham: I don't think that they switched to Xbox because of Sony's brand. They did it because Sony's network was unavailable. Availability is part of the CIA triad. It is the one massive reason that most companies need security. – atdre May 29 '11 at 16:16
  • @atdre: and who are _they_? Numbers? References? –  May 30 '11 at 08:08
  • @Graham: I'm sorry -- but you lost me in this conversation. You brought up the point that "people" (my: "they") may have thrown their PS3s away. Are you talking about another subject? – atdre May 30 '11 at 19:22
  • @atdre I didn't intend to raise that point: I asked the question of _whether anyone had_ discarded their PS3s for Xbox/Wii _because of_ the Sony hacks. Until someone shows that these people exist, or that PS3 users have stopped their subscriptions to the PSN, or that people who were _potential_ PS3 owners bought Xboxen instead, I don't believe that the "damage to reputation" is as important as has been claimed. –  May 31 '11 at 08:00
  • @graham-lee 200% increases in Sony Ps3 returns: http://goo.gl/h8oTD . But my point was that reputational damage will hurt companies that trade on it like RSA more than it will those who trade on fun and entertainment like Sony or TK Maxx. Reputation still matters a hell of a lot though and is the primary business case for security after regulation for many companies. Bit of blog spam: http://www.rakkhis.com/2011/05/what-does-sony-need-to-rebuild.html – Rakkhi May 31 '11 at 08:47
  • @Graham: Then you and I agree. Reputation and brand are for marketing people. I'll stay in the real world of technology where availability (i.e. networks, apps, and databases) and integrity (i.e. system and data) matter most, while confidentiality follows a close third. Networks can be made highly available through BGP and DNS, which are difficult black-arts that rarely have upper management support. Systems are always easy to scale and provide high-availability for. Apps/DBs are the least understood of all -- with no standards for acquisition, creation, or deployment. – atdre May 31 '11 at 20:52
  • @atdre these number are quite arbitrary and vendor-driven. – Vitaly Osipov Nov 28 '12 at 04:12
  • @agelastic: that's not true. your comment is untrue. please back it up with facts and/or references. – atdre Dec 06 '12 at 21:41
  • @atdre You are quoting a book written by a consultant selling security operations services and, of all places, Gartner (which is entirely vendor driven). On arbitrariness - choice of Poisson distribution for security incidents *is* arbitrary. Quote me a an article in a peer reviewed journal that concludes Poisson is the best, and I will back out my comment :) Besides, there are many other components in addition to incidents - reputation, customer loyalty etc. – Vitaly Osipov Dec 08 '12 at 04:04
  • @agelastic: There are many authors of that book. Security is not a science, and as a proponent of quals over quants, my Poisson distribution suggestion is clearly not the end-all-be-all. However, I'd like to hear your ideas about incident-oriented and evidence-based risk management in information security management practices, if you have any. Why don't you give a go at an answer? – atdre Dec 17 '12 at 18:10
  • @atdre I am not giving it a go, because some arguments are not worth having. – Vitaly Osipov Dec 18 '12 at 23:33