3.1 Why Does Good Design Matter?

There is no question that resolving security issues during the design phase of software is ideal from a developer's point of view. Our experience (confirmed by recent academic studies) shows that investing in design also makes good business sense. To make this principle more tangible, let's try to calculate the cost to fix a security shortcoming at design time—as opposed to doing it as part of implementation, during testing, or via a software patch. Research reveals the following ratios, illustrated by Figure 3-1:

• If the cost at design time is taken as a unit of 1, the cost of fixing the same bug in implementation is about 6.5 times as great.

• If the security vulnerability is caught at testing time, the cost is 15 times as great.

• If the security vulnerability has to be patched after the software is released—which means that the fix itself will have to be released as a patch—the cost is about 60 times what it would have cost to fix the problem at the design stage.^[1]

  ^[1] IBM Systems Sciences Institute statistics, cited by Kevin Soo Hoo, Andrew W. Sudbury, and Andrew R. Jaquith in "Tangible ROI through Secure Software Engineering," Secure Business Quarterly, Volume 1, Issue 2.

Figure 3-1. Cost of fixing security flaws during different development phases

These figures argue strongly the case for being careful during design. Keep in mind, too, that, as the study we just cited points out, there are intangible costs as well: loss of goodwill, reputation, and functionality, and more stress for everyone involved in the project are common outcomes.