The Dollars and Sense of Application Security Testing ROI
April 11, 2022

Walter Capitani

More than ever, ensuring the quality, safety and security of software is crucial, and continuous testing is a must. While organizations may perceive this effort as costly, when applied throughout the software development life cycle (SDLC) AST can significantly improve both efficiency and product quality. The return on investment (ROI) of AST can more than justify the cost.

The term "phygital" was reaching buzzword status even before the COVID pandemic led the last holdouts to digitize whatever real-world operations they had left. With software and applications now running much of the world — from manufacturing to farming and banking to shopping — code defects can have far reaching consequences that span the physical and digital domains. Fortunately, application security testing (AST), which has existed for decades, provides a trusted path to safety for embedded software development.

How AST Improves ROI

Making security a key part of the development pipeline improves operational security, of course, but it can also bring return on investment. Rather than back into security and tack on some protection after the fact, leading development with security avoids inefficiencies, cost overruns, project delays and vulnerabilities in the final product that can inflate costs. Every design flaw or vulnerability caught early is a savings over the cost of remediating it after the software is deployed, because the development stage is where the majority of bugs are introduced.

AST solutions can help cut costs, time, and resources spent in several ways:

Finds bugs before final testing: AST solutions can spot defects while coding before they get in the build system and move into the next stages of development. Every time a bug is dealt with at this point spares the team from failed unit, integration and system tests, and the extra debugging and retesting that follows.

Spots what manual code testing and reviews miss: Often, manual testing and code review processes can miss important defects, such as complex security vulnerabilities and concurrency problems. Automating AST throughout development will spot more defects that can be fixed instantly, resulting in higher quality, safer and more secure code.

Avoids the bugs in the first place: Enforcing good coding discipline and creating a develop-analyze-test micro cycle for small code changes can head off many defects from being created for starters.

The savings can add up: One analysis by Google found that 40% of their engineering time is spent fixing bugs. That can add up to $2.4 million/per year when dealing with one large application. Even in a smaller organization, a conservative estimate would put the savings at hundreds of thousands of dollars in reduced development and testing time; and that doesn't factor in the savings from not dealing with the higher costs of fixing defects and vulnerabilities in production and deployment.

Finding just one software bug is uncommon; while finding multiple defects is not, which is why continuous testing should be the rule. By finding defects early, developers reduce not only development costs, but also subsequent maintenance costs. AST enables development teams to keep up: a Forrester study found automating that "test early and often" process boosted ROI 205% over three years, with a return of almost $7 million on a $3.3 million investment. The study found improvements in developers' output, reduced testing time, better risk avoidance and remediation.

The Cost of Failure

If improved DevOps is not enough of an enticement, fear of failure should be. The average cost of a data breach has reached a record $4.24 million per instance, according to IBM's annual Cost of a Data Breach Report in 2021. That doesn't factor in lost business and tarnished brands, which have a longer tail. One estimate put the damage of software bugs to the economy at more than $2 trillion a year.

Calculating ROI of continuous code testing should also consider other factors than just identifying and fixing defects. Here are some examples and the impact to calculating ROI:

Risk and liability: In critical industries, such as transportation, medical devices, industrial automation and controls, software failure can potentially cause injury and death. Consider the unintended acceleration accidents which precipitated the recall of four million Prius cars that cost Toyota $5 billion.

Brand and reputation: It can be hard to put a number to this kind of damage, but it is a large and growing problem as cyber crimes such as ransomware grow. Data breaches increased by 17% in 2021 and included a number of high profile cases such as the Log4J/Log4shell vulnerability.

Customer experience: User experience is a big selling point in many applications, so poor design, security or quality can doom the customer experience and cost organizations, since customers are spoiled for choice. Amazon found every 100ms of latency in their online applications costs them 1% in sales and Google found a 500ms delay in search page results dropped traffic by 20%.

Patching and recalls: Remediation is a must when security vulnerabilities or defects are found, but it can be expensive and organizations are passing on huge costs to their customers, who have to spend time and money on patch management of their software. But this is crucial, since every unpatched piece of code is a landmine that could harm both your organization and its customers.

Compliance: When there is a breach, regulators are never far behind. Software security failures at public companies attract the attention of the Securities Exchange Commission (SEC) or Federal Trade Commission (FTC), and can have consequences for failure to manage business risks. Equifax's data breach led to $575 million in fines , Home Depot paid $200 million in another case and Capital One $190 million—and that's above and beyond the other costs and liabilities they faced.

Insurance premiums: The SolarWinds attack cost insurers more than $90 million. Cybersecurity coverage is affected by software quality, safety and security, so insurers may begin taking a closer look at DevSecOps best practices and raising rates or even denying coverage to organizations that don't measure up.

The ROI of AST is clear: it paves the way to producing higher quality software, reduces costs upfront and downstream, and avoids the many potentially disruptive and very costly aftereffects of a digital mishap. By any measure, the numbers add up.

Walter Capitani is Director of Technical Product Management for GrammaTech
Share this

Industry News

October 02, 2023

Spectro Cloud announced Palette EdgeAI to simplify how organizations deploy and manage AI workloads at scale across simple to complex edge locations, such as retail, healthcare, industrial automation, oil and gas, automotive/connected cars, and more.

September 28, 2023

Kong announced Kong Konnect Dedicated Cloud Gateways, the simplest and most cost-effective way to run Kong Gateways in the cloud fully managed as a service and on enterprise dedicated infrastructure.

September 28, 2023

Sisense unveiled the public preview of Compose SDK for Fusion.

September 28, 2023

Cloudflare announced Hyperdrive to make every local database global. Now developers can easily build globally distributed applications on Cloudflare Workers, the serverless developer platform used by over one million developers, without being constrained by their existing infrastructure.

September 27, 2023

Kong announced full support for Kong Mesh in Konnect, making Kong Konnect an API lifecycle management platform with built-in support for Kong Gateway Enterprise, Kong Ingress Controller and Kong Mesh via a SaaS control plane.

September 27, 2023

Vultr announced the launch of the Vultr GPU Stack and Container Registry to enable global enterprises and digital startups alike to build, test and operationalize artificial intelligence (AI) models at scale — across any region on the globe. \

September 27, 2023

Salt Security expanded its partnership with CrowdStrike by integrating the Salt Security API Protection Platform with the CrowdStrike Falcon® Platform.

September 26, 2023

Progress announced a partnership with Software Improvement Group (SIG), an independent technology and advisory firm for software quality, security and improvement, to help ensure the long-term maintainability and modernization of business-critical applications built on the Progress® OpenEdge® platform.

September 26, 2023

Solace announced a new version of its Solace Event Portal solution that gives organizations with Apache Kafka deployments better visibility into, and control over, their Kafka event streams, brokers and associated assets.

September 26, 2023

Reply launched a proprietary framework for generative AI-based software development, KICODE Reply.

September 26, 2023

Harness announced the industry-wide Engineering Excellence Collective™, an engineering leadership community.

September 25, 2023

Harness announced four new product modules on the Harness platform.

September 25, 2023

Sylabs announced the release of SingularityCE 4.0.

September 25, 2023

Timescale announced the launch of Timescale Vector, enabling developers to build production AI applications at scale with PostgreSQL.