http://1raindrop.typepad.com/1_raindrop/2007/10/network-securit.html

Software security should have 0% budget.

For me, software security only works well if you build it into the lifecycle. Yep, each of the “additional” phases/checks/tests cost “extra”, but that is part of the development cost. Having some budget “assigned” for security does exactly what Thomas says above - gets you to pick the one thing that gives you the biggest “bang for the buck”. That’s a reasonable approach, and I’m sure given time and data we can do a good risk/reward trade off, but if security is baked into the development at various places then I believe you get better software (and not just in terms of security - a review can pull all sorts of thing - maintainability is an obvious one)

The 2% number is basically saying that you will spend ~$15k per release on security.

On the one hand, that’s low as a percentage of revenue (an 8 person dev team, multiple cycles in, is doing low millions of top-line revenue on the low side, and tens of millions on the high side), but on the other hand that’s more than almost any ISV actually spends on security.

What will 15k buy you? If it’s a web app, a solid third party re-test and incremental test on an applicaton. Of course, that leaves no money for training or tools.

The real argument ot be made here is that development teams that either (a) take security seriously or (b) are getting hit over the head by security problems are losing far more time to security-related schedule slippage — in cost of remediation and delayed ship dates — than they ever stand to spend in active security investments.

In the end the idea is to start with a good guess and to adapt the budget based on experience gathered in several projects. I would say that there will be many answers to the question … and I’m also looking for other comments.