Re: Interesting article on the adoption of Software Security

[Florian Weimer <fw () deneb enyo de>]

* Kenneth R. van Wyk:

> There's an interesting article out on Net-Security.org (see the full article 
> at http://www.net-security.org/article.php?id=697) that addresses why 
> software development organizations adopt (or do not adopt) a Software 
> Security development methodology.  Check it out -- it's a good read, IMHO.

| Although consuming between 5-15% of a project's overall budget,
| organisations have learnt that the savings yielded by phased
| security assessments far outweigh the costs of performing them.

I don't think this is correct.  The costs for fixing bugs is higher
later in the product lifecycle (and the article cites confirming
data), but these costs might never materialize.  Only a fraction of
all bugs are found, and the vendor doesn't even have to fix all those
which have actually been discovered.

I've never seen any hard evidence that investment into proactive
measures during development (or call it "increased software quality")
pays off in the end, at least in the area of applications which are
neither safety-critical nor regulated in some form or other.  Only
those companies that want you to pay dearly for their services publish
claim after claim that those services actually save you money.  My own
experience suggests that a strong brand is far more significant in
making purchasing decisions than defect rate, and a really good brand
can enable a vendor to push critical security fixes back years,
towards the next software development/deployment cycle, thus
minimizing the costs.

-- 
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: bigpond.com, di-ve.com, fuorissimo.com, hotmail.com,
jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt, spymac.com,
tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com.