Estimating security effort on software development project

["Kreusch, Stephen \(ZA - Johannesburg\)" <skreusch () deloitte co za>]

A client of mine is planning on developing a replacement system for
their existing retail solution.  The client is a retail holding company,
with approximately 10 chains, selling clothing, shoes, books,
stationery, etc.  The solution will likely be based on the Avanade
(http://www.avanade.com/) framework.

I have been giving thought to where security could be involved, and
estimating effort/cost.  An approach of: "Well, the overall project will
cost X so give us a security budget of 1% of X" will not work.

Business/IT management would like the security team to be involved
throughout the process, which could include:
- Ongoing risk assessment and risk management, prioritisation of
security issues for fixing, informing and interacting with business to
decide what is addressed, what risks they are willing to accept, etc.
- Security requirements development/review
- Threat modelling, (ab)use cases, etc.
- Security architecture development/review
- Secure coding principles/guidelines and review (including developer
training up front)
- Application controls definition/review (e.g. roles, segregation of
duties, etc.)
- Security test script development/execution
- Infrastructure/environment security requirements, hardening, lockdown,
etc.
- Pre-implementation security review
- Post-implementation security review
- etc. etc.

What am I missing which could be added to the list?

*****   More importantly, for each of these, how do you estimate
security involvement effort/cost?   *****

Or put another way, in your experience, what factors have you considered
for each security element listed above, and in your experience how long
did it actually take?

For example, adding security requirements to use cases should be pretty
simple.  Take the use cases and expand them to properly cover security.
Number of use cases (unknown at this stage) x effort per use case = Y.
However, abuse/misuse cases are something that the security team would
develop from scratch rather that working off a use case provided by a
developer.  How long does each abuse case take to develop?

Similarly, focusing on only the important code blocks w.r.t. security,
how long?  Can code review effort be estimated based on total lines of
code?  What is the minimum and maximum time for a code review?

Any help would be appreciated.

Thanks
Stephen
Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") 
that must be accessed and read by visiting our website and viewing the webpage at the following address: 
http://www.deloitte.com/za/disclaimer.  The Disclaimer is deemed to form part of the content of this email in terms of 
Section 11 of the Electronic Communications and Transactions Act, 25 of 2002.  If you cannot access the Disclaimer, 
please obtain a copy thereof from us by sending an email to [EMAIL PROTECTED]