Secure Coding mailing list archives
Re: Interesting article on the adoption of Software Security
From: Damir Rajnovic <gaus () cisco com>
Date: Thu, 10 Jun 2004 14:13:56 +0100
On Wed, Jun 09, 2004 at 10:37:45AM +0200, Florian Weimer wrote:
I don't think this is correct. The costs for fixing bugs is higher later in the product lifecycle (and the article cites confirming data), but these costs might never materialize. Only a fraction of all bugs are found, and the vendor doesn't even have to fix all those which have actually been discovered.
While this is true that only some of the bugs are fixed that fixing can have unexpectedly high price tag attached. No matter how do you look at this it _is_ cheaper to fix bugs as soon as possible in the process (or not introduce them at the first place).
I've never seen any hard evidence that investment into proactive measures during development (or call it "increased software quality") pays off in the end, at least in the area of applications which are
Personally, I do not see how this can be easily measured. The only way we can do that is to say that we used to have so many bugs previoulsy and fixing them cost that many. Then say that now we have so many fewer bugs and that brought saving of whatever amount. But all of that is just a guesswork and not the hard data. The conclusion is that you can accurately only measure how much fixing cost (and only the technical part, without trying to estimate lost opportunites and lost customer confidence) but can not measure the absence of bugs. The other interesting bit is that, at least at my place, we are seeing fewer "simple" bugs but more of "complex" one. Not necessarily "complex" in a sense of how hard is to fix them (but, occasionally, that too) but that they tend to be more fundamental and far reaching then "simple" ones. The consequence of it is that, while you may have fewer bugs, the cost of fixing them stays the same or is even greater then fixing many "simple" bugs. Gaus ============== Damir Rajnovic <[EMAIL PROTECTED]>, PSIRT Incident Manager, Cisco Systems <http://www.cisco.com/go/psirt> Telephone: +44 7715 546 033 200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB ============== There are no insolvable problems. The question is can you accept the solution?
Current thread:
- Interesting article on the adoption of Software Security Kenneth R. van Wyk (Jun 08)
- Re: Interesting article on the adoption of Software Security Jeff Williams (Jun 08)
- Re: Interesting article on the adoption of Software Security Florian Weimer (Jun 09)
- Re: Interesting article on the adoption of Software Security Damir Rajnovic (Jun 10)
- Re: Interesting article on the adoption of Software Security Crispin Cowan (Jun 10)
- Re: Interesting article on the adoption of Software Security Dana Epp (Jun 11)
- Re: Interesting article on the adoption of Software Security ljknews (Jun 11)
- RE: Interesting article on the adoption of Software Security Michael S Hines (Jun 11)
- Re: Interesting article on the adoption of Software Security Crispin Cowan (Jun 11)
- RE: Interesting article on the adoption of Software Security ljknews (Jun 11)
- Re: Interesting article on the adoption of Software Security Crispin Cowan (Jun 11)
- Re: Interesting article on the adoption of Software Security Damir Rajnovic (Jun 10)
- Re: Interesting article on the adoption of Software Security der Mouse (Jun 11)
- <Possible follow-ups>
- RE: Interesting article on the adoption of Software Security John Steven (Jun 09)
- RE: Interesting article on the adoption of Software Security Wall, Kevin (Jun 12)