The Productivity Gain Of Software Security

Take current dev/ops practices into account. Those regular changes already cost money, so adding security controls is simply another change to the existing process that requires some investment—the same as any business process change.

The return on investment should be measured in the productivity enhancements enabled by avoiding software flaws and defects in the development process and the ability to fix defects earlier in the life-cycle. This approach saves time over fixing defects discovered after the application is built through a penetration test.

Providing developers with frameworks for input and output validation routines is an example of a control that actually prevents defects in software code. Mandating their use by security policy is simply an example of embedding a control that prevents vulnerabilities in software. Dev/Ops give us a continuous build process so developers don’t have to spend time fixing the vulnerability. The productivity saved can be measured by determining the standard cost of fixing defects, usually between two and six hours of development time, and multiplying that by how many defects are identified before and after the framework.

Using this before-and-after model to determine the average number of security vulnerabilities per line of code written (something called defect density) provides an opportunity to measure improvements over your baseline measures. The difference is the second gain in productivity of embedding controls in development. It turns out that developers actually learn how to avoid defects when they are able to use static analysis tools during development so preventing defects and fixing them earlier enable more time to be invested in quality software and less time fixing defects. As a result, obtaining productivity improvement of 10 to 40 percent is feasible, offering a compelling argument for security that everyone can understand.

Founded in 1853 in Hartford, U.S., Aetna (NYSE: AET) is committed to providing individuals, employers, health care professionals, producers, and others with a broad range of traditional, voluntary, and consumer-directed health insurance products and related services.