It is important to understand the risk the application presents. In the standard risk equation, Risk = Threat x Vulnerability x Cost, we consider risk to be a product of the likelihood of a successful attack together with the frequency of such attacks and the associated cost to recover from it.
An insecure application clearly increases the vulnerability of the organisation and therefore likelihood of success. The frequency of attack is increasing as more attackers focus on the application interface when faced with a secure infrastructure. The value of the application and therefore the cost of recovery will clearly vary from organisation to organisation, but it is fair to say that applications provide access to, or are, valuable corporate assets.
The risk associated with an insecure application is already high, and is rising so there are several reasons why organisations choose to follow a secure development program;
To mitigate the risk of a serious application flaw exposing the organisation or its data.
To provide a better quality in the completed product or service, thereby reducing any risk of liability or negative publicity.
To reduce IT security costs after implementation and ultimately provide a better return on IT security investment (ROSI).
To improve maintenance time by reducing the effort needed to fix bugs after delivery.
To improve productivity and allocation of resource. Less development work is required to engineer solutions to problems identified early. Their root causes may be determined, resolved and adapted to prevent reoccurrence.
To shorten delivery times by reducing the time spent in the integration and system test/debug phases.
Retrospective identification and remediation of risks in applications can be a time-consuming and costly exercise. It is far easier to build a secure application that to fix an insecure one.
IBM reported that the cost to fix an error found after product release was 4 to 5 times as much as one uncovered during design, and up to 100 times more than one identified in the maintenance phase. Figure 1 shows the relative cost to fix problems identified in the Design, Implementation, Testing, and Maintenance phases as identified by IBM1.
Figure 1 ***
Research by @Stake demonstrated that on average an organisation caught only a quarter of its software security holes and had typically seven significant bugs within its enterprise software. Their findings verified that fixing the same defects during the testing phase cost around seven times less than after deployment. They concluded building security into software engineering at the design stage would net a 21% ROSI; waiting until the implementation stage would reduce that to 15% and at the testing stage, the ROSI would fall to 12%.