Software Security Budgets
Markus Schumacher poses an interesting question on his blog. How much money from the development budget should be spent on security? and then goes on to suggest 2%. Markus is a clearly a smart cookie. Many people might have asked a similar sounding but very different question, namely “How much of the security budget should be spent of software security?”. When development teams are allocating their own budget for security they are usually taking responsibility to address the issue; a sign of maturity.
But 2%? I must confess I don’t know where to turn to to even start to rationalize that number but I do want to understand this a lot more, so it’s to you I turn dear reader. Any good links to the economics of software with empirical studies of how much is spent on complimentary functions like functional testing, performance etc. ?
October 2, 2007 at 9:28 pm
Mark, thanks for picking this up. Just a remark from experience out of my previous professional life at one of the bigger software vendors. There we had several different development standards (performance, security, accessibility, usability, etc.). The overall budget for all *ilities was 2% - not enough from my security point of view. Thus, I consider 2% as a good starting point for security.
In the end the idea is to start with a good guess and to adapt the budget based on experience gathered in several projects. I would say that there will be many answers to the question … and I’m also looking for other comments.
October 2, 2007 at 10:35 pm
Take a release cycle for a typical ISV dev team, with 5 FTE developers and 3 FTE QA. Assume cycles are 6 months long. Assume fully loaded cost of 150k/per (a very lean number). Assume for the sake of argument that there’s no real overhead to development other than people.
The 2% number is basically saying that you will spend ~$15k per release on security.
On the one hand, that’s low as a percentage of revenue (an 8 person dev team, multiple cycles in, is doing low millions of top-line revenue on the low side, and tens of millions on the high side), but on the other hand that’s more than almost any ISV actually spends on security.
What will 15k buy you? If it’s a web app, a solid third party re-test and incremental test on an applicaton. Of course, that leaves no money for training or tools.
The real argument ot be made here is that development teams that either (a) take security seriously or (b) are getting hit over the head by security problems are losing far more time to security-related schedule slippage — in cost of remediation and delayed ship dates — than they ever stand to spend in active security investments.
October 2, 2007 at 11:28 pm
Depends on where you draw the line on security. Network security obviously has costs. So does Physical secuirity. Software security is different, and I’d like to throw something else out there.
Software security should have 0% budget.
For me, software security only works well if you build it into the lifecycle. Yep, each of the “additional” phases/checks/tests cost “extra”, but that is part of the development cost. Having some budget “assigned” for security does exactly what Thomas says above - gets you to pick the one thing that gives you the biggest “bang for the buck”. That’s a reasonable approach, and I’m sure given time and data we can do a good risk/reward trade off, but if security is baked into the development at various places then I believe you get better software (and not just in terms of security - a review can pull all sorts of thing - maintainability is an obvious one)
October 4, 2007 at 3:26 pm
How about investing security $ using similar priorities to what the business uses?
http://1raindrop.typepad.com/1_raindrop/2007/10/network-securit.html