* Kenneth R. van Wyk: > There's an interesting article out on Net-Security.org (see the full article > at http://www.net-security.org/article.php?id=697) that addresses why > software development organizations adopt (or do not adopt) a Software > Security development methodology. Check it out -- it's a good read, IMHO.
| Although consuming between 5-15% of a project's overall budget, | organisations have learnt that the savings yielded by phased | security assessments far outweigh the costs of performing them. I don't think this is correct. The costs for fixing bugs is higher later in the product lifecycle (and the article cites confirming data), but these costs might never materialize. Only a fraction of all bugs are found, and the vendor doesn't even have to fix all those which have actually been discovered. I've never seen any hard evidence that investment into proactive measures during development (or call it "increased software quality") pays off in the end, at least in the area of applications which are neither safety-critical nor regulated in some form or other. Only those companies that want you to pay dearly for their services publish claim after claim that those services actually save you money. My own experience suggests that a strong brand is far more significant in making purchasing decisions than defect rate, and a really good brand can enable a vendor to push critical security fixes back years, towards the next software development/deployment cycle, thus minimizing the costs. -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: bigpond.com, di-ve.com, fuorissimo.com, hotmail.com, jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt, spymac.com, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com.