The Dollars and Sense of Application Security Testing ROI
April 11, 2022

Walter Capitani
GrammaTech

More than ever, ensuring the quality, safety and security of software is crucial, and continuous testing is a must. While organizations may perceive this effort as costly, when applied throughout the software development life cycle (SDLC) AST can significantly improve both efficiency and product quality. The return on investment (ROI) of AST can more than justify the cost.

The term "phygital" was reaching buzzword status even before the COVID pandemic led the last holdouts to digitize whatever real-world operations they had left. With software and applications now running much of the world — from manufacturing to farming and banking to shopping — code defects can have far reaching consequences that span the physical and digital domains. Fortunately, application security testing (AST), which has existed for decades, provides a trusted path to safety for embedded software development.

How AST Improves ROI

Making security a key part of the development pipeline improves operational security, of course, but it can also bring return on investment. Rather than back into security and tack on some protection after the fact, leading development with security avoids inefficiencies, cost overruns, project delays and vulnerabilities in the final product that can inflate costs. Every design flaw or vulnerability caught early is a savings over the cost of remediating it after the software is deployed, because the development stage is where the majority of bugs are introduced.

AST solutions can help cut costs, time, and resources spent in several ways:

Finds bugs before final testing: AST solutions can spot defects while coding before they get in the build system and move into the next stages of development. Every time a bug is dealt with at this point spares the team from failed unit, integration and system tests, and the extra debugging and retesting that follows.

Spots what manual code testing and reviews miss: Often, manual testing and code review processes can miss important defects, such as complex security vulnerabilities and concurrency problems. Automating AST throughout development will spot more defects that can be fixed instantly, resulting in higher quality, safer and more secure code.

Avoids the bugs in the first place: Enforcing good coding discipline and creating a develop-analyze-test micro cycle for small code changes can head off many defects from being created for starters.

The savings can add up: One analysis by Google found that 40% of their engineering time is spent fixing bugs. That can add up to $2.4 million/per year when dealing with one large application. Even in a smaller organization, a conservative estimate would put the savings at hundreds of thousands of dollars in reduced development and testing time; and that doesn't factor in the savings from not dealing with the higher costs of fixing defects and vulnerabilities in production and deployment.

Finding just one software bug is uncommon; while finding multiple defects is not, which is why continuous testing should be the rule. By finding defects early, developers reduce not only development costs, but also subsequent maintenance costs. AST enables development teams to keep up: a Forrester study found automating that "test early and often" process boosted ROI 205% over three years, with a return of almost $7 million on a $3.3 million investment. The study found improvements in developers' output, reduced testing time, better risk avoidance and remediation.

The Cost of Failure

If improved DevOps is not enough of an enticement, fear of failure should be. The average cost of a data breach has reached a record $4.24 million per instance, according to IBM's annual Cost of a Data Breach Report in 2021. That doesn't factor in lost business and tarnished brands, which have a longer tail. One estimate put the damage of software bugs to the economy at more than $2 trillion a year.

Calculating ROI of continuous code testing should also consider other factors than just identifying and fixing defects. Here are some examples and the impact to calculating ROI:

Risk and liability: In critical industries, such as transportation, medical devices, industrial automation and controls, software failure can potentially cause injury and death. Consider the unintended acceleration accidents which precipitated the recall of four million Prius cars that cost Toyota $5 billion.

Brand and reputation: It can be hard to put a number to this kind of damage, but it is a large and growing problem as cyber crimes such as ransomware grow. Data breaches increased by 17% in 2021 and included a number of high profile cases such as the Log4J/Log4shell vulnerability.

Customer experience: User experience is a big selling point in many applications, so poor design, security or quality can doom the customer experience and cost organizations, since customers are spoiled for choice. Amazon found every 100ms of latency in their online applications costs them 1% in sales and Google found a 500ms delay in search page results dropped traffic by 20%.

Patching and recalls: Remediation is a must when security vulnerabilities or defects are found, but it can be expensive and organizations are passing on huge costs to their customers, who have to spend time and money on patch management of their software. But this is crucial, since every unpatched piece of code is a landmine that could harm both your organization and its customers.

Compliance: When there is a breach, regulators are never far behind. Software security failures at public companies attract the attention of the Securities Exchange Commission (SEC) or Federal Trade Commission (FTC), and can have consequences for failure to manage business risks. Equifax's data breach led to $575 million in fines , Home Depot paid $200 million in another case and Capital One $190 million—and that's above and beyond the other costs and liabilities they faced.

Insurance premiums: The SolarWinds attack cost insurers more than $90 million. Cybersecurity coverage is affected by software quality, safety and security, so insurers may begin taking a closer look at DevSecOps best practices and raising rates or even denying coverage to organizations that don't measure up.

The ROI of AST is clear: it paves the way to producing higher quality software, reduces costs upfront and downstream, and avoids the many potentially disruptive and very costly aftereffects of a digital mishap. By any measure, the numbers add up.

Walter Capitani is Director of Technical Product Management for GrammaTech
Share this

Industry News

September 27, 2022

DevOps Institute will host SKILup Festival in Singapore on November 15, 2022.

September 27, 2022

Delinea announced the latest release of DevOps Secrets Vault, its high-speed vault for DevOps and DevSecOps teams.

September 27, 2022

The Apptainer community announced version 1.1.0 of the popular container system for secure, high-performance computing (HPC). Improvements in the new version provide a smaller attack surface for production deployments while offering features that improve and simplify the user experience.

September 26, 2022

Secure Code Warrior unveiled Coding Labs, a new mechanism that allows developers to more easily move from learning to applying secure coding knowledge, leading to fewer vulnerabilities in code.

September 26, 2022

ActiveState announced the availability of the ActiveState Artifact Repository.

September 26, 2022

Split Software announced the availability of its Feature Data Platform in the Microsoft Azure Marketplace.

September 22, 2022

Katalon announced the launch of the Katalon Platform, a modern and comprehensive software quality management platform that enables teams of any size to easily and efficiently test, launch, and optimize apps, products, and software.

September 22, 2022

StackHawk announced its Deeper API Security Test Coverage release.

September 21, 2022

Platform9 announced the launch of its latest open source project, Arlon.

September 21, 2022

Redpanda Data announced Redpanda Console.

September 21, 2022

mabl announced its availability as a private listing on Google Cloud Marketplace.

September 21, 2022

Zesty announced a $75 million Series B funding round led by B Capital and Series A investor Sapphire Ventures.

September 20, 2022

Opsera, the Continuous Orchestration platform for DevOps, announced a free trial of its no-code Salesforce Release Management platform for fast and secure Salesforce releases.

September 20, 2022

Sysdig announced ToDo and Remediation Guru.

September 20, 2022

AutoRABIT announced CodeScan Shield.