The Productivity Gain Of Software Security
By Jim Routh, CSO, Aetna
The conceptual model measuring the gain in productivity for developers assumes that there are up-front costs for changing the development processes, such as software licenses for testing tools and licenses, education, and time to teach developers new techniques and of course, the necessary servers and infrastructure cost. Depending on the size of the development organization, it is safe to estimate that it will take 10 to 15 percent of the total hours spent on development each year to implement changes in the process and teach developers how to use a new set of tools.
Integrating security controls into the fabric of software development and integration increases productivity for application developers
Take current dev/ops practices into account. Those regular changes already cost money, so adding security controls is simply another change to the existing process that requires some investment—the same as any business process change.
The return on investment should be measured in the productivity enhancements enabled by avoiding software flaws and defects in the development process and the ability to fix defects earlier in the life-cycle. This approach saves time over fixing defects discovered after the application is built through a penetration test.
Providing developers with frameworks for input and output validation routines is an example of a control that actually prevents defects in software code. Mandating their use by security policy is simply an example of embedding a control that prevents vulnerabilities in software. Dev/Ops give us a continuous build process so developers don’t have to spend time fixing the vulnerability. The productivity saved can be measured by determining the standard cost of fixing defects, usually between two and six hours of development time, and multiplying that by how many defects are identified before and after the framework.
Using this before-and-after model to determine the average number of security vulnerabilities per line of code written (something called defect density) provides an opportunity to measure improvements over your baseline measures. The difference is the second gain in productivity of embedding controls in development. It turns out that developers actually learn how to avoid defects when they are able to use static analysis tools during development so preventing defects and fixing them earlier enable more time to be invested in quality software and less time fixing defects. As a result, obtaining productivity improvement of 10 to 40 percent is feasible, offering a compelling argument for security that everyone can understand.
Founded in 1853 in Hartford, U.S., Aetna (NYSE: AET) is committed to providing individuals, employers, health care professionals, producers, and others with a broad range of traditional, voluntary, and consumer-directed health insurance products and related services.