Re: Cost to fix bugs pre-production

[Gary Gwin <websec () cafesoft com>]

Mark,

I believe you might be referring to the research done by atstake:

"According to SQA (software quality assurance) empirical research, one 
dollar required to resolve an issue during the design phase grows into 
60 to 100 dollars to resolve the same issue after the application has 
shipped."

http://www.sbq.com/sbq/rosi/sbq_rosi_software_engineering.pdf

http://www.atstake.com/research/reports/acrobat/atstake_app_unequal.pdf

OWASP is acknowledged in the second document.

Gary

--
http://www.cafesoft.com

****************************************************************
*                                                              *
*  Cams is a web single sign-on software solution for Apache,  *
*  Microsoft IIS, BEA WebLogic, IBM WebSphere, JBoss, Oracle,  *
*  and Tomcat web and J2EE application servers.                *
*                                                              *
****************************************************************

Mark Curphey wrote:
> A while back I read a research paper that compared some figures for the
> financial cost of fixing an application security bug when it is in
> development, pre-production and then finally in production. I have lost the
> link. Does anyone know of any such papers ?
>
> Has anyone ever seen a study of the cost of fixing a problem occurring from
> code review against the cost of fixing an issue that got into production and
> had to be retrofitted ?