Secure Coding mailing list archives
Re: Interesting article on the adoption of Software Security
From: Florian Weimer <fw () deneb enyo de>
Date: Wed, 09 Jun 2004 14:02:53 +0100
* Kenneth R. van Wyk:
There's an interesting article out on Net-Security.org (see the full article at http://www.net-security.org/article.php?id=697) that addresses why software development organizations adopt (or do not adopt) a Software Security development methodology. Check it out -- it's a good read, IMHO.
| Although consuming between 5-15% of a project's overall budget, | organisations have learnt that the savings yielded by phased | security assessments far outweigh the costs of performing them. I don't think this is correct. The costs for fixing bugs is higher later in the product lifecycle (and the article cites confirming data), but these costs might never materialize. Only a fraction of all bugs are found, and the vendor doesn't even have to fix all those which have actually been discovered. I've never seen any hard evidence that investment into proactive measures during development (or call it "increased software quality") pays off in the end, at least in the area of applications which are neither safety-critical nor regulated in some form or other. Only those companies that want you to pay dearly for their services publish claim after claim that those services actually save you money. My own experience suggests that a strong brand is far more significant in making purchasing decisions than defect rate, and a really good brand can enable a vendor to push critical security fixes back years, towards the next software development/deployment cycle, thus minimizing the costs. -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: bigpond.com, di-ve.com, fuorissimo.com, hotmail.com, jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt, spymac.com, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com.
Current thread:
- Interesting article on the adoption of Software Security Kenneth R. van Wyk (Jun 08)
- Re: Interesting article on the adoption of Software Security Jeff Williams (Jun 08)
- Re: Interesting article on the adoption of Software Security Florian Weimer (Jun 09)
- Re: Interesting article on the adoption of Software Security Damir Rajnovic (Jun 10)
- Re: Interesting article on the adoption of Software Security Crispin Cowan (Jun 10)
- Re: Interesting article on the adoption of Software Security Dana Epp (Jun 11)
- Re: Interesting article on the adoption of Software Security ljknews (Jun 11)
- RE: Interesting article on the adoption of Software Security Michael S Hines (Jun 11)
- Re: Interesting article on the adoption of Software Security Crispin Cowan (Jun 11)
- RE: Interesting article on the adoption of Software Security ljknews (Jun 11)
- Re: Interesting article on the adoption of Software Security Crispin Cowan (Jun 11)
- Re: Interesting article on the adoption of Software Security Damir Rajnovic (Jun 10)
- Re: Interesting article on the adoption of Software Security der Mouse (Jun 11)
- <Possible follow-ups>
- RE: Interesting article on the adoption of Software Security John Steven (Jun 09)