seeking hard numbers of bug fixes...

[Kevin.Wall at qwest.com (Wall, Kevin)]

Benjamin Tomhave wrote:
> ... we're looking for hard research or
> numbers that covers the cost to catch bugs in code pre-launch and
> post-launch. The notion being that the organization saves itself money
> if it does a reasonable amount of QA (and security testing)
> up front vs trying to chase things down after they've been identified
> (and possibly exploited).

Ben,

Not sure if this is what you are looking for or not, but back in the
mid- to late-1980s or so, John Musa, a DMTS at Bell Labs, wrote up a
couple of papers that showed this data, although this was in the more
general context of software quality assurance and not specific to
security testing.

I'm pretty sure that Musa published something in either one of the ACM
or IEEE CS journals and included some hard data, collected from a bunch
of (then AT&T) Bell Labs projects. IIRC, the main finding was something
like the cost was ~100 times more to catch and correct a bug during
the normal design / coding phase than it was to catch / correct it
after post-deployment.

Can't help you much more than that. I'm surprised I remembered that much! :)

-kevin
---
Kevin W. Wall           Qwest Information Technology, Inc.
Kevin.Wall at qwest.com    Phone: 614.215.4788
"It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration"
    - Edsger Dijkstra, How do we tell truths that matter?
      http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html



This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.