The cleanup cost for fixing a bug in a homegrown Web application ranges anywhere from $400 to $4,000 to repair, depending on the vulnerability and the way it's fixed.
Security experts traditionally have been hesitant to calculate the actual cost associated with bug fixes because there are so many variables, including the severity of the vulnerability, differences in man-hour rates, and the makeup of the actual fix.
But with the call for more secure coding ringing louder all the time, enterprises are faced with looking more closely at how much they must spend to fix holes in their applications. Jeremiah Grossman, CTO of WhiteHat Security, recently conducted an informal poll about the costs to enterprises for fixing bugs in their Web applications. He went with a relatively conservative estimate, calculating that it takes about 40 man-hours at $100 per hour to fix one vulnerability in a Website, or $4,000. And given that WhiteHat finds an average of seven vulnerabilities per Website, it comes out to about $28,000 to remediate a Website.
John Steven, senior director for advanced technology consulting at Cigital, says Grossman's numbers are "dead on." "Cross-site scripting costs very little to fix, for instance, but the regression rate and 'new findings' rates are very high," says Steven, who has done some number-crunching of his own.
Stevens says security remediation typically occurs outside of the normal development and quality-assurance cycle. It costs an organization about $250 to understand a vulnerability finding, $300 to communicate a vulnerability internally and to get "action," and around $240 to verify the fix itself, he says. A simple bug can take about an hour and a half to fix, he says, or $160, for example, at about $105 per man-hour.
"Endemic problems, like authorization, that require integration with tools take more like 80 to 100 hours," Stevens says, so Grossman's estimate for those cases is right on target, he says.
With XSS, enterprises aren't typically fixing just one XSS bug at a time, either. "Developers tend to fix in batches. So no one fixes [just] one cross-site scripting [bug]," Stevens says. Instead, it's more like eight to 20 at a time, he adds, and while some bugs only cost about $400 to fix, others can cost $9,000 to $11,000 to fix.
A cross-site request forgery (CSRF) vulnerability that requires encryption can require 80 to 100 man-hours of resources to repair, he says. But a low-budget $400 XSS fix is likely to cause more problems later. "Retests will uncover related problems or the same problem elsewhere as a result of that kind of 'fix,'" Stevens says.
Gartner, meanwhile, doesn't calculate actual application repair costs because they can vary so widely, but Joseph Feiman, a vice president and Gartner fellow, says Grossman's estimates are realistic. Gartner, which says 100 percent of all vulnerabilities in homegrown applications are in place prior to production, offers its clients a "cost of effort" analysis framework to determine what it takes resourcewise to fix an application.
"The later you detect a vulnerability [in the software life cycle process], the more the percentage [required] for system testing, construction, and design," Feiman says. "If you find it at operations time, you have to repeat the entire process, so it costs you up to 100 percent effort."
Other experts argue that putting a price tag on vulnerability repair isn't possible. "All in all, the idea of this kind of range is unlikely to either impel or imperil improvements in application security, as it is almost meaningless as a predictor of costs, or as a justifier of investment. There are just too many moving parts," says Jack Danahy, CTO of Ounce Labs.
Danahy says fixing a bug can entail anything from changing one number or API call, to creating and enforcing the use of an input/data validation library. "The fix also varies significantly based on the scope of the chosen repair solution. In cases of widespread poor practices, a single change, made centrally, can eliminate dozens of problems both known and unknown," he says.
Even with the current economic climate, Gartner hasn't seen any major decline in security expenditures, and "the interest is very high" for fixing vulnerabilities, as well as other security expenditures, Feiman says.
Still, large sites are facing a major reality check in the costs associated with cleaning up their bugs: WhiteHat's Grossman says it's safe to say that most Websites today are full of vulnerabilities, and finding them is a major challenge. The cost of finding those bugs depends on the route an enterprise takes, whether it's a one-time consultant's vulnerability assessment of $10,000 per site, or a much less expensive vulnerability scan, which is somewhere around $1,000. And that's just finding the bugs, not fixing them, Grossman says.
"The struggle is how do you deal with an enormous number of sites riddled with vulnerabilities? You can't just recode them. It's a dollars and cents issue," Grossman says.
And enterprises are less likely to remediate security bugs in internal Web-based applications (not the public-facing ones) than in their Website apps, experts say. They can cost twice as much to fix than external apps, Cigital's Steven says. "This makes sense, when you think about it. Internal apps often go through 'security process lite' within organizations or are repurposed applications built without security constraints. The flaws found within them are huge and endemic," he says. "Cross-site scripting and that tier of low-hanging fruit cost as little to fix, sure, but people often opt not to. Their thinking is, 'I don't expect internal staff to own me with a Web attack.'"
Cigital has seen that firsthand with some of its clients, too: "In our retests of internal apps, we almost always find nearly 100 percent of the issues found previously -- of a medium or high criticality, like the cross-site scripting ones," he says.
And vendors' commercial software is dramatically more expensive to fix, too. Oracle can spend up to $1 million on a vulnerability fix that spans multiple platforms in its software products, including the cost of regression testing and patching, notes Chris Wysopal, CTO at Veracode. "The fundamental difference is vulnerability in a Web application only has to be fixed on that one site if it's custom software. Commercial software is replicated on many sites," he says. "You get dramatically larger numbers with commercial software."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio