The Cost Of Fixing An Application Vulnerability

Security experts say enterprises spend anywhere from $400 to several thousand dollars to fix a single vulnerability in their internally Web developed applications
Even with the current economic climate, Gartner hasn't seen any major decline in security expenditures, and "the interest is very high" for fixing vulnerabilities, as well as other security expenditures, Feiman says.

Still, large sites are facing a major reality check in the costs associated with cleaning up their bugs: WhiteHat's Grossman says it's safe to say that most Websites today are full of vulnerabilities, and finding them is a major challenge. The cost of finding those bugs depends on the route an enterprise takes, whether it's a one-time consultant's vulnerability assessment of $10,000 per site, or a much less expensive vulnerability scan, which is somewhere around $1,000. And that's just finding the bugs, not fixing them, Grossman says.

"The struggle is how do you deal with an enormous number of sites riddled with vulnerabilities? You can't just recode them. It's a dollars and cents issue," Grossman says.

And enterprises are less likely to remediate security bugs in internal Web-based applications (not the public-facing ones) than in their Website apps, experts say. They can cost twice as much to fix than external apps, Cigital's Steven says. "This makes sense, when you think about it. Internal apps often go through 'security process lite' within organizations or are repurposed applications built without security constraints. The flaws found within them are huge and endemic," he says. "Cross-site scripting and that tier of low-hanging fruit cost as little to fix, sure, but people often opt not to. Their thinking is, 'I don't expect internal staff to own me with a Web attack.'"

Cigital has seen that firsthand with some of its clients, too: "In our retests of internal apps, we almost always find nearly 100 percent of the issues found previously -- of a medium or high criticality, like the cross-site scripting ones," he says.

And vendors' commercial software is dramatically more expensive to fix, too. Oracle can spend up to $1 million on a vulnerability fix that spans multiple platforms in its software products, including the cost of regression testing and patching, notes Chris Wysopal, CTO at Veracode. "The fundamental difference is vulnerability in a Web application only has to be fixed on that one site if it's custom software. Commercial software is replicated on many sites," he says. "You get dramatically larger numbers with commercial software."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.