Risk

5/11/2009
01:56 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

The Cost Of Fixing An Application Vulnerability

Security experts say enterprises spend anywhere from $400 to several thousand dollars to fix a single vulnerability in their internally Web developed applications

The cleanup cost for fixing a bug in a homegrown Web application ranges anywhere from $400 to $4,000 to repair, depending on the vulnerability and the way it's fixed.

Security experts traditionally have been hesitant to calculate the actual cost associated with bug fixes because there are so many variables, including the severity of the vulnerability, differences in man-hour rates, and the makeup of the actual fix.

But with the call for more secure coding ringing louder all the time, enterprises are faced with looking more closely at how much they must spend to fix holes in their applications. Jeremiah Grossman, CTO of WhiteHat Security, recently conducted an informal poll about the costs to enterprises for fixing bugs in their Web applications. He went with a relatively conservative estimate, calculating that it takes about 40 man-hours at $100 per hour to fix one vulnerability in a Website, or $4,000. And given that WhiteHat finds an average of seven vulnerabilities per Website, it comes out to about $28,000 to remediate a Website.

John Steven, senior director for advanced technology consulting at Cigital, says Grossman's numbers are "dead on." "Cross-site scripting costs very little to fix, for instance, but the regression rate and 'new findings' rates are very high," says Steven, who has done some number-crunching of his own.

Stevens says security remediation typically occurs outside of the normal development and quality-assurance cycle. It costs an organization about $250 to understand a vulnerability finding, $300 to communicate a vulnerability internally and to get "action," and around $240 to verify the fix itself, he says. A simple bug can take about an hour and a half to fix, he says, or $160, for example, at about $105 per man-hour.

"Endemic problems, like authorization, that require integration with tools take more like 80 to 100 hours," Stevens says, so Grossman's estimate for those cases is right on target, he says.

With XSS, enterprises aren't typically fixing just one XSS bug at a time, either. "Developers tend to fix in batches. So no one fixes [just] one cross-site scripting [bug]," Stevens says. Instead, it's more like eight to 20 at a time, he adds, and while some bugs only cost about $400 to fix, others can cost $9,000 to $11,000 to fix.

A cross-site request forgery (CSRF) vulnerability that requires encryption can require 80 to 100 man-hours of resources to repair, he says. But a low-budget $400 XSS fix is likely to cause more problems later. "Retests will uncover related problems or the same problem elsewhere as a result of that kind of 'fix,'" Stevens says.

Gartner, meanwhile, doesn't calculate actual application repair costs because they can vary so widely, but Joseph Feiman, a vice president and Gartner fellow, says Grossman's estimates are realistic. Gartner, which says 100 percent of all vulnerabilities in homegrown applications are in place prior to production, offers its clients a "cost of effort" analysis framework to determine what it takes resourcewise to fix an application.

"The later you detect a vulnerability [in the software life cycle process], the more the percentage [required] for system testing, construction, and design," Feiman says. "If you find it at operations time, you have to repeat the entire process, so it costs you up to 100 percent effort."

Other experts argue that putting a price tag on vulnerability repair isn't possible. "All in all, the idea of this kind of range is unlikely to either impel or imperil improvements in application security, as it is almost meaningless as a predictor of costs, or as a justifier of investment. There are just too many moving parts," says Jack Danahy, CTO of Ounce Labs.

Danahy says fixing a bug can entail anything from changing one number or API call, to creating and enforcing the use of an input/data validation library. "The fix also varies significantly based on the scope of the chosen repair solution. In cases of widespread poor practices, a single change, made centrally, can eliminate dozens of problems both known and unknown," he says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-13435
PUBLISHED: 2018-08-16
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method to disable passcode authentication. NOTE: the vendor indicates that this is not an attack of interest w...
CVE-2018-13446
PUBLISHED: 2018-08-16
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.1 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method's return value to true. In other words, an attacker could authenticate with an arbitrary passcode. ...
CVE-2018-14567
PUBLISHED: 2018-08-16
libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.
CVE-2018-15122
PUBLISHED: 2018-08-16
An issue found in Progress Telerik JustAssembly through 2018.1.323.2 and JustDecompile through 2018.2.605.0 makes it possible to execute code by decompiling a compiled .NET object (such as DLL or EXE) with an embedded resource file by clicking on the resource.
CVE-2018-11509
PUBLISHED: 2018-08-16
ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. This may allow an attacker to login and upload a webshell.