The Dollars and Sense of Application Security Testing ROI
April 11, 2022

Walter Capitani

More than ever, ensuring the quality, safety and security of software is crucial, and continuous testing is a must. While organizations may perceive this effort as costly, when applied throughout the software development life cycle (SDLC) AST can significantly improve both efficiency and product quality. The return on investment (ROI) of AST can more than justify the cost.

The term "phygital" was reaching buzzword status even before the COVID pandemic led the last holdouts to digitize whatever real-world operations they had left. With software and applications now running much of the world — from manufacturing to farming and banking to shopping — code defects can have far reaching consequences that span the physical and digital domains. Fortunately, application security testing (AST), which has existed for decades, provides a trusted path to safety for embedded software development.

How AST Improves ROI

Making security a key part of the development pipeline improves operational security, of course, but it can also bring return on investment. Rather than back into security and tack on some protection after the fact, leading development with security avoids inefficiencies, cost overruns, project delays and vulnerabilities in the final product that can inflate costs. Every design flaw or vulnerability caught early is a savings over the cost of remediating it after the software is deployed, because the development stage is where the majority of bugs are introduced.

AST solutions can help cut costs, time, and resources spent in several ways:

Finds bugs before final testing: AST solutions can spot defects while coding before they get in the build system and move into the next stages of development. Every time a bug is dealt with at this point spares the team from failed unit, integration and system tests, and the extra debugging and retesting that follows.

Spots what manual code testing and reviews miss: Often, manual testing and code review processes can miss important defects, such as complex security vulnerabilities and concurrency problems. Automating AST throughout development will spot more defects that can be fixed instantly, resulting in higher quality, safer and more secure code.

Avoids the bugs in the first place: Enforcing good coding discipline and creating a develop-analyze-test micro cycle for small code changes can head off many defects from being created for starters.

The savings can add up: One analysis by Google found that 40% of their engineering time is spent fixing bugs. That can add up to $2.4 million/per year when dealing with one large application. Even in a smaller organization, a conservative estimate would put the savings at hundreds of thousands of dollars in reduced development and testing time; and that doesn't factor in the savings from not dealing with the higher costs of fixing defects and vulnerabilities in production and deployment.

Finding just one software bug is uncommon; while finding multiple defects is not, which is why continuous testing should be the rule. By finding defects early, developers reduce not only development costs, but also subsequent maintenance costs. AST enables development teams to keep up: a Forrester study found automating that "test early and often" process boosted ROI 205% over three years, with a return of almost $7 million on a $3.3 million investment. The study found improvements in developers' output, reduced testing time, better risk avoidance and remediation.

The Cost of Failure

If improved DevOps is not enough of an enticement, fear of failure should be. The average cost of a data breach has reached a record $4.24 million per instance, according to IBM's annual Cost of a Data Breach Report in 2021. That doesn't factor in lost business and tarnished brands, which have a longer tail. One estimate put the damage of software bugs to the economy at more than $2 trillion a year.

Calculating ROI of continuous code testing should also consider other factors than just identifying and fixing defects. Here are some examples and the impact to calculating ROI:

Risk and liability: In critical industries, such as transportation, medical devices, industrial automation and controls, software failure can potentially cause injury and death. Consider the unintended acceleration accidents which precipitated the recall of four million Prius cars that cost Toyota $5 billion.

Brand and reputation: It can be hard to put a number to this kind of damage, but it is a large and growing problem as cyber crimes such as ransomware grow. Data breaches increased by 17% in 2021 and included a number of high profile cases such as the Log4J/Log4shell vulnerability.

Customer experience: User experience is a big selling point in many applications, so poor design, security or quality can doom the customer experience and cost organizations, since customers are spoiled for choice. Amazon found every 100ms of latency in their online applications costs them 1% in sales and Google found a 500ms delay in search page results dropped traffic by 20%.

Patching and recalls: Remediation is a must when security vulnerabilities or defects are found, but it can be expensive and organizations are passing on huge costs to their customers, who have to spend time and money on patch management of their software. But this is crucial, since every unpatched piece of code is a landmine that could harm both your organization and its customers.

Compliance: When there is a breach, regulators are never far behind. Software security failures at public companies attract the attention of the Securities Exchange Commission (SEC) or Federal Trade Commission (FTC), and can have consequences for failure to manage business risks. Equifax's data breach led to $575 million in fines , Home Depot paid $200 million in another case and Capital One $190 million—and that's above and beyond the other costs and liabilities they faced.

Insurance premiums: The SolarWinds attack cost insurers more than $90 million. Cybersecurity coverage is affected by software quality, safety and security, so insurers may begin taking a closer look at DevSecOps best practices and raising rates or even denying coverage to organizations that don't measure up.

The ROI of AST is clear: it paves the way to producing higher quality software, reduces costs upfront and downstream, and avoids the many potentially disruptive and very costly aftereffects of a digital mishap. By any measure, the numbers add up.

Walter Capitani is Director of Technical Product Management for GrammaTech
Share this

Industry News

February 02, 2023

Red Hat announced a multi-stage alliance to offer customers a greater choice of operating systems to run on Oracle Cloud Infrastructure (OCI).

February 02, 2023

Snow Software announced a new global partner program designed to enable partners to support customers as they face complex market challenges around managing cost and mitigating risk, while delivering value more efficiently and effectively with Snow.

February 02, 2023

Contrast Security announced the launch of its new partner program, the Security Innovation Alliance (SIA), which is a global ecosystem of system integrators (SIs), cloud, channel and technology alliances.

February 01, 2023

Red Hat introduced new security and compliance capabilities for the Red Hat OpenShift enterprise Kubernetes platform.

February 01, 2023 formally launched with Devbox Cloud, a managed service offering for Devbox.

February 01, 2023

Jellyfish launched Life Cycle Explorer, a new solution that identifies bottlenecks in the life cycle of engineering work to help teams adapt workflow processes and more effectively deliver value to customers.

January 31, 2023

Ably announced the Ably Terraform provider.

January 31, 2023

Checkmarx announced the immediate availability of Supply Chain Threat Intelligence, which delivers detailed threat intelligence on hundreds of thousands of malicious packages, contributor reputation, malicious behavior and more.

January 31, 2023

Qualys announced its new GovCloud platform along with the achievement of FedRAMP Ready status at the High impact level, from the Federal Risk and Authorization Management Program (FedRAMP).

January 30, 2023

F5 announced the general availability of F5 NGINXaaS for Azure, an integrated solution co-developed by F5 and Microsoft that empowers enterprises to deliver secure, high-performance applications in the cloud.

January 30, 2023

Tenable announced Tenable Ventures, a corporate investment program.

January 26, 2023

Ubuntu Pro, Canonical’s comprehensive subscription for secure open source and compliance, is now generally available.

January 26, 2023

Mirantis, freeing developers to create their most valuable code, today announced that it has acquired the Santa Clara, California-based Shipa to add automated application discovery, operations, security, and observability to the Lens Kubernetes Platform.

January 25, 2023

SmartBear has integrated the powerful contract testing capabilities of PactFlow with SwaggerHub.

January 25, 2023

Venafi introduced TLS Protect for Kubernetes.