WebApp Sec mailing list archives
Re: Cost to fix bugs pre-production
From: Ivan Ristic <ivanr () webkreator com>
Date: Tue, 25 Nov 2003 22:05:04 +0000
Mark Curphey wrote:
A while back I read a research paper that compared some figures for the financial cost of fixing an application security bug when it is in development, pre-production and then finally in production. I have lost the link. Does anyone know of any such papers ? Has anyone ever seen a study of the cost of fixing a problem occurring from code review against the cost of fixing an issue that got into production andhad to be retrofitted ?
Steve McConnell's Rapid Development contains references to a number of papers on the subject, pages 69-79. As a summary, he says: * An hour doing QA activities saves 3-10 hours downstream costs. * A requirement defect left undetected costs 50-200 times as much later. * A defect fixed in a code review would cost 10-100 times as much to fix later on. One of the books he cites is this one: http://www.amazon.co.uk/exec/obidos/ASIN/0201631814 -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ]
Current thread:
- Cost to fix bugs pre-production Mark Curphey (Nov 25)
- Re: Cost to fix bugs pre-production Gary Gwin (Nov 25)
- Re: Cost to fix bugs pre-production Ivan Ristic (Nov 25)
- Re: Cost to fix bugs pre-production Peter Wood (Nov 26)
- RE: Cost to fix bugs pre-production Glyn (Nov 26)
- <Possible follow-ups>
- RE: Cost to fix bugs pre-production Eugene Chuvyrov (Nov 25)