WebApp Sec mailing list archives

Re: Cost to fix bugs pre-production

From: Ivan Ristic <ivanr () webkreator com>
Date: Tue, 25 Nov 2003 22:05:04 +0000

Mark Curphey wrote:

A while back I read a research paper that compared some figures for the
financial cost of fixing an application security bug when it is in
development, pre-production and then finally in production. I have lost the
link. Does anyone know of any such papers ?

Has anyone ever seen a study of the cost of fixing a problem occurring from
code review against the cost of fixing an issue that got into production and

had to be retrofitted ?


  Steve McConnell's Rapid Development contains references to a number
  of papers on the subject, pages 69-79.

  As a summary, he says:

  * An hour doing QA activities saves 3-10 hours downstream costs.

  * A requirement defect left undetected costs 50-200 times as
    much later.

  * A defect fixed in a code review would cost 10-100 times as
    much to fix later on.

  One of the books he cites is this one:
  http://www.amazon.co.uk/exec/obidos/ASIN/0201631814

--
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

Current thread:

Cost to fix bugs pre-production Mark Curphey (Nov 25)
- Re: Cost to fix bugs pre-production Gary Gwin (Nov 25)
- Re: Cost to fix bugs pre-production Ivan Ristic (Nov 25)
- Re: Cost to fix bugs pre-production Peter Wood (Nov 26)
- RE: Cost to fix bugs pre-production Glyn (Nov 26)
- <Possible follow-ups>
- RE: Cost to fix bugs pre-production Eugene Chuvyrov (Nov 25)