The Dollars and Sense of Application Security Testing ROI
April 11, 2022

Walter Capitani
GrammaTech

More than ever, ensuring the quality, safety and security of software is crucial, and continuous testing is a must. While organizations may perceive this effort as costly, when applied throughout the software development life cycle (SDLC) AST can significantly improve both efficiency and product quality. The return on investment (ROI) of AST can more than justify the cost.

The term "phygital" was reaching buzzword status even before the COVID pandemic led the last holdouts to digitize whatever real-world operations they had left. With software and applications now running much of the world — from manufacturing to farming and banking to shopping — code defects can have far reaching consequences that span the physical and digital domains. Fortunately, application security testing (AST), which has existed for decades, provides a trusted path to safety for embedded software development.

How AST Improves ROI

Making security a key part of the development pipeline improves operational security, of course, but it can also bring return on investment. Rather than back into security and tack on some protection after the fact, leading development with security avoids inefficiencies, cost overruns, project delays and vulnerabilities in the final product that can inflate costs. Every design flaw or vulnerability caught early is a savings over the cost of remediating it after the software is deployed, because the development stage is where the majority of bugs are introduced.

AST solutions can help cut costs, time, and resources spent in several ways:

Finds bugs before final testing: AST solutions can spot defects while coding before they get in the build system and move into the next stages of development. Every time a bug is dealt with at this point spares the team from failed unit, integration and system tests, and the extra debugging and retesting that follows.

Spots what manual code testing and reviews miss: Often, manual testing and code review processes can miss important defects, such as complex security vulnerabilities and concurrency problems. Automating AST throughout development will spot more defects that can be fixed instantly, resulting in higher quality, safer and more secure code.

Avoids the bugs in the first place: Enforcing good coding discipline and creating a develop-analyze-test micro cycle for small code changes can head off many defects from being created for starters.

The savings can add up: One analysis by Google found that 40% of their engineering time is spent fixing bugs. That can add up to $2.4 million/per year when dealing with one large application. Even in a smaller organization, a conservative estimate would put the savings at hundreds of thousands of dollars in reduced development and testing time; and that doesn't factor in the savings from not dealing with the higher costs of fixing defects and vulnerabilities in production and deployment.

Finding just one software bug is uncommon; while finding multiple defects is not, which is why continuous testing should be the rule. By finding defects early, developers reduce not only development costs, but also subsequent maintenance costs. AST enables development teams to keep up: a Forrester study found automating that "test early and often" process boosted ROI 205% over three years, with a return of almost $7 million on a $3.3 million investment. The study found improvements in developers' output, reduced testing time, better risk avoidance and remediation.

The Cost of Failure

If improved DevOps is not enough of an enticement, fear of failure should be. The average cost of a data breach has reached a record $4.24 million per instance, according to IBM's annual Cost of a Data Breach Report in 2021. That doesn't factor in lost business and tarnished brands, which have a longer tail. One estimate put the damage of software bugs to the economy at more than $2 trillion a year.

Calculating ROI of continuous code testing should also consider other factors than just identifying and fixing defects. Here are some examples and the impact to calculating ROI:

Risk and liability: In critical industries, such as transportation, medical devices, industrial automation and controls, software failure can potentially cause injury and death. Consider the unintended acceleration accidents which precipitated the recall of four million Prius cars that cost Toyota $5 billion.

Brand and reputation: It can be hard to put a number to this kind of damage, but it is a large and growing problem as cyber crimes such as ransomware grow. Data breaches increased by 17% in 2021 and included a number of high profile cases such as the Log4J/Log4shell vulnerability.

Customer experience: User experience is a big selling point in many applications, so poor design, security or quality can doom the customer experience and cost organizations, since customers are spoiled for choice. Amazon found every 100ms of latency in their online applications costs them 1% in sales and Google found a 500ms delay in search page results dropped traffic by 20%.

Patching and recalls: Remediation is a must when security vulnerabilities or defects are found, but it can be expensive and organizations are passing on huge costs to their customers, who have to spend time and money on patch management of their software. But this is crucial, since every unpatched piece of code is a landmine that could harm both your organization and its customers.

Compliance: When there is a breach, regulators are never far behind. Software security failures at public companies attract the attention of the Securities Exchange Commission (SEC) or Federal Trade Commission (FTC), and can have consequences for failure to manage business risks. Equifax's data breach led to $575 million in fines , Home Depot paid $200 million in another case and Capital One $190 million—and that's above and beyond the other costs and liabilities they faced.

Insurance premiums: The SolarWinds attack cost insurers more than $90 million. Cybersecurity coverage is affected by software quality, safety and security, so insurers may begin taking a closer look at DevSecOps best practices and raising rates or even denying coverage to organizations that don't measure up.

The ROI of AST is clear: it paves the way to producing higher quality software, reduces costs upfront and downstream, and avoids the many potentially disruptive and very costly aftereffects of a digital mishap. By any measure, the numbers add up.

Walter Capitani is Director of Technical Product Management for GrammaTech
Share this

Industry News

November 21, 2024

Red Hat announced the general availability of Red Hat Enterprise Linux 9.5, the latest version of the enterprise Linux platform.

November 21, 2024

Securiti announced a new solution - Security for AI Copilots in SaaS apps.

November 20, 2024

Spectro Cloud completed a $75 million Series C funding round led by Growth Equity at Goldman Sachs Alternatives with participation from existing Spectro Cloud investors.

November 20, 2024

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, has announced significant momentum around cloud native training and certifications with the addition of three new project-centric certifications and a series of new Platform Engineering-specific certifications:

November 20, 2024

Red Hat announced the latest version of Red Hat OpenShift AI, its artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across the hybrid cloud.

November 20, 2024

Salesforce announced agentic lifecycle management tools to automate Agentforce testing, prototype agents in secure Sandbox environments, and transparently manage usage at scale.

November 19, 2024

OpenText™ unveiled Cloud Editions (CE) 24.4, presenting a suite of transformative advancements in Business Cloud, AI, and Technology to empower the future of AI-driven knowledge work.

November 19, 2024

Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade developer portal based on the Backstage project.

November 19, 2024

Pegasystems announced the availability of new AI-driven legacy discovery capabilities in Pega GenAI Blueprint™ to accelerate the daunting task of modernizing legacy systems that hold organizations back.

November 19, 2024

Tricentis launched enhanced cloud capabilities for its flagship solution, Tricentis Tosca, bringing enterprise-ready end-to-end test automation to the cloud.

November 19, 2024

Rafay Systems announced new platform advancements that help enterprises and GPU cloud providers deliver developer-friendly consumption workflows for GPU infrastructure.

November 19, 2024

Apiiro introduced Code-to-Runtime, a new capability using Apiiro’s deep code analysis (DCA) technology to map software architecture and trace all types of software components including APIs, open source software (OSS), and containers to code owners while enriching it with business impact.

November 19, 2024

Zesty announced the launch of Kompass, its automated Kubernetes optimization platform.

November 18, 2024

MacStadium announced the launch of Orka Engine, the latest addition to its Orka product line.