Benjamin Tomhave wrote: > ... we're looking for hard research or > numbers that covers the cost to catch bugs in code pre-launch and > post-launch. The notion being that the organization saves itself money > if it does a reasonable amount of QA (and security testing) > up front vs trying to chase things down after they've been identified > (and possibly exploited).
Ben, Not sure if this is what you are looking for or not, but back in the mid- to late-1980s or so, John Musa, a DMTS at Bell Labs, wrote up a couple of papers that showed this data, although this was in the more general context of software quality assurance and not specific to security testing. I'm pretty sure that Musa published something in either one of the ACM or IEEE CS journals and included some hard data, collected from a bunch of (then AT&T) Bell Labs projects. IIRC, the main finding was something like the cost was ~100 times more to catch and correct a bug during the normal design / coding phase than it was to catch / correct it after post-deployment. Can't help you much more than that. I'm surprised I remembered that much! :) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.com Phone: 614.215.4788 "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration" - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________