Risk

5/11/2009
01:56 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

The Cost Of Fixing An Application Vulnerability

Security experts say enterprises spend anywhere from $400 to several thousand dollars to fix a single vulnerability in their internally Web developed applications

The cleanup cost for fixing a bug in a homegrown Web application ranges anywhere from $400 to $4,000 to repair, depending on the vulnerability and the way it's fixed.

Security experts traditionally have been hesitant to calculate the actual cost associated with bug fixes because there are so many variables, including the severity of the vulnerability, differences in man-hour rates, and the makeup of the actual fix.

But with the call for more secure coding ringing louder all the time, enterprises are faced with looking more closely at how much they must spend to fix holes in their applications. Jeremiah Grossman, CTO of WhiteHat Security, recently conducted an informal poll about the costs to enterprises for fixing bugs in their Web applications. He went with a relatively conservative estimate, calculating that it takes about 40 man-hours at $100 per hour to fix one vulnerability in a Website, or $4,000. And given that WhiteHat finds an average of seven vulnerabilities per Website, it comes out to about $28,000 to remediate a Website.

John Steven, senior director for advanced technology consulting at Cigital, says Grossman's numbers are "dead on." "Cross-site scripting costs very little to fix, for instance, but the regression rate and 'new findings' rates are very high," says Steven, who has done some number-crunching of his own.

Stevens says security remediation typically occurs outside of the normal development and quality-assurance cycle. It costs an organization about $250 to understand a vulnerability finding, $300 to communicate a vulnerability internally and to get "action," and around $240 to verify the fix itself, he says. A simple bug can take about an hour and a half to fix, he says, or $160, for example, at about $105 per man-hour.

"Endemic problems, like authorization, that require integration with tools take more like 80 to 100 hours," Stevens says, so Grossman's estimate for those cases is right on target, he says.

With XSS, enterprises aren't typically fixing just one XSS bug at a time, either. "Developers tend to fix in batches. So no one fixes [just] one cross-site scripting [bug]," Stevens says. Instead, it's more like eight to 20 at a time, he adds, and while some bugs only cost about $400 to fix, others can cost $9,000 to $11,000 to fix.

A cross-site request forgery (CSRF) vulnerability that requires encryption can require 80 to 100 man-hours of resources to repair, he says. But a low-budget $400 XSS fix is likely to cause more problems later. "Retests will uncover related problems or the same problem elsewhere as a result of that kind of 'fix,'" Stevens says.

Gartner, meanwhile, doesn't calculate actual application repair costs because they can vary so widely, but Joseph Feiman, a vice president and Gartner fellow, says Grossman's estimates are realistic. Gartner, which says 100 percent of all vulnerabilities in homegrown applications are in place prior to production, offers its clients a "cost of effort" analysis framework to determine what it takes resourcewise to fix an application.

"The later you detect a vulnerability [in the software life cycle process], the more the percentage [required] for system testing, construction, and design," Feiman says. "If you find it at operations time, you have to repeat the entire process, so it costs you up to 100 percent effort."

Other experts argue that putting a price tag on vulnerability repair isn't possible. "All in all, the idea of this kind of range is unlikely to either impel or imperil improvements in application security, as it is almost meaningless as a predictor of costs, or as a justifier of investment. There are just too many moving parts," says Jack Danahy, CTO of Ounce Labs.

Danahy says fixing a bug can entail anything from changing one number or API call, to creating and enforcing the use of an input/data validation library. "The fix also varies significantly based on the scope of the chosen repair solution. In cases of widespread poor practices, a single change, made centrally, can eliminate dozens of problems both known and unknown," he says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I'm not sure I like this top down management approach!"
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17358
PUBLISHED: 2018-09-23
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in _bfd_stab_section_find_nearest_line in syms.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a ...
CVE-2018-17359
PUBLISHED: 2018-09-23
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in bfd_zalloc in opncls.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.
CVE-2018-17360
PUBLISHED: 2018-09-23
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. a heap-based buffer over-read in bfd_getl32 in libbfd.c allows an attacker to cause a denial of service through a crafted PE file. This vulnerability can be triggered by the executa...
CVE-2018-17361
PUBLISHED: 2018-09-23
Multiple XSS vulnerabilities in WeaselCMS v0.3.6 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php because $_SERVER['PHP_SELF'] is mishandled.
CVE-2018-17364
PUBLISHED: 2018-09-23
OTCMS 3.61 allows remote attackers to execute arbitrary PHP code via the accBackupDir parameter.