DEVOPSdigest

More than ever, ensuring the quality, safety and security of software is crucial, and continuous testing is a must. While organizations may perceive this effort as costly, when applied throughout the software development life cycle (SDLC) AST can significantly improve both efficiency and product quality. The return on investment (ROI) of AST can more than justify the cost.

The term "phygital" was reaching buzzword status even before the COVID pandemic led the last holdouts to digitize whatever real-world operations they had left. With software and applications now running much of the world — from manufacturing to farming and banking to shopping — code defects can have far reaching consequences that span the physical and digital domains. Fortunately, application security testing (AST), which has existed for decades, provides a trusted path to safety for embedded software development.

How AST Improves ROI

Making security a key part of the development pipeline improves operational security, of course, but it can also bring return on investment. Rather than back into security and tack on some protection after the fact, leading development with security avoids inefficiencies, cost overruns, project delays and vulnerabilities in the final product that can inflate costs. Every design flaw or vulnerability caught early is a savings over the cost of remediating it after the software is deployed, because the development stage is where the majority of bugs are introduced.

AST solutions can help cut costs, time, and resources spent in several ways:

■ Finds bugs before final testing: AST solutions can spot defects while coding before they get in the build system and move into the next stages of development. Every time a bug is dealt with at this point spares the team from failed unit, integration and system tests, and the extra debugging and retesting that follows.

■ Spots what manual code testing and reviews miss: Often, manual testing and code review processes can miss important defects, such as complex security vulnerabilities and concurrency problems. Automating AST throughout development will spot more defects that can be fixed instantly, resulting in higher quality, safer and more secure code.

■ Avoids the bugs in the first place: Enforcing good coding discipline and creating a develop-analyze-test micro cycle for small code changes can head off many defects from being created for starters.

The savings can add up: One analysis by Google(link is external) found that 40% of their engineering time is spent fixing bugs. That can add up to $2.4 million/per year when dealing with one large application. Even in a smaller organization, a conservative estimate would put the savings at hundreds of thousands of dollars in reduced development and testing time; and that doesn't factor in the savings from not dealing with the higher costs of fixing defects and vulnerabilities in production and deployment.

Finding just one software bug is uncommon; while finding multiple defects is not, which is why continuous testing should be the rule. By finding defects early, developers reduce not only development costs, but also subsequent maintenance costs. AST enables development teams to keep up: a Forrester study found automating that "test early and often" process boosted ROI 205%(link is external) over three years, with a return of almost $7 million on a $3.3 million investment. The study found improvements in developers' output, reduced testing time, better risk avoidance and remediation.

The Cost of Failure

If improved DevOps is not enough of an enticement, fear of failure should be. The average cost of a data breach has reached a record $4.24 million per instance, according to IBM's annual Cost of a Data Breach Report(link is external) in 2021. That doesn't factor in lost business and tarnished brands, which have a longer tail. One estimate put the damage of software bugs to the economy at more than $2 trillion(link is external) a year.

Calculating ROI of continuous code testing should also consider other factors than just identifying and fixing defects. Here are some examples and the impact to calculating ROI:

■ Risk and liability: In critical industries, such as transportation, medical devices, industrial automation and controls, software failure can potentially cause injury and death. Consider the unintended acceleration accidents which precipitated the recall of four million Prius cars that cost Toyota $5 billion(link is external).

■ Brand and reputation: It can be hard to put a number to this kind of damage, but it is a large and growing problem as cyber crimes such as ransomware grow. Data breaches increased by 17% in 2021(link is external) and included a number of high profile cases such as the Log4J/Log4shell vulnerability.

■ Customer experience: User experience is a big selling point in many applications, so poor design, security or quality can doom the customer experience and cost organizations, since customers are spoiled for choice. Amazon found every 100ms of latency in their online applications costs them 1% in sales(link is external) and Google found a 500ms delay in search page results dropped traffic by 20%.

■ Patching and recalls: Remediation is a must when security vulnerabilities or defects are found, but it can be expensive and organizations are passing on huge costs to their customers, who have to spend time and money(link is external) on patch management of their software. But this is crucial, since every unpatched piece of code is a landmine that could harm both your organization and its customers.

■ Compliance: When there is a breach, regulators are never far behind. Software security failures at public companies attract the attention of the Securities Exchange Commission (SEC) or Federal Trade Commission (FTC), and can have consequences for failure to manage business risks. Equifax's data breach led to $575 million in fines(link is external) , Home Depot paid $200 million in another case and Capital One $190 million—and that's above and beyond the other costs and liabilities they faced.

■ Insurance premiums: The SolarWinds attack cost insurers more than (link is external) $90 million. Cybersecurity coverage is affected by software quality, safety and security, so insurers may begin taking a closer look at DevSecOps best practices and raising rates or even denying coverage to organizations that don't measure up.

The ROI of AST is clear: it paves the way to producing higher quality software, reduces costs upfront and downstream, and avoids the many potentially disruptive and very costly aftereffects of a digital mishap. By any measure, the numbers add up.