This article demonstrates how a true cost/benefit for secure software can be derived using three generic practice areas: (1) threat/risk understanding, (2) implementation of security requirements, and (3) operational security testing. Having an accurate cost for these aspects of the software assurance process would allow decision makers to make intelligent decisions about the level of investment they wish to make. WHY WE NEED TO DISTINGUISH SOFTWARE DEVELOPMENT FROM SOFTWARE ASSURANCE The aim of this article is to demonstrate how a common valuation model can be used to make a dollars and cents business case for software assurance. However, in order to do that, it is first necessary to talk about why the elements of software assurance cost have to be differentiated from those of traditional software development. A precise delineation of the cost elements of secure software assurance is required because the total cost of anything is the sum of the costs of its parts. And unfortunately, there is no commonly agreed-on line of demarcation between the activities that constitute software assurance and those associated with producing a correct product. It should be apparent that the cost of producing the product should be different from the cost required to make sure that the product is secure. Yet when it comes time to assign the actual cost associated with each process, the distinction between product quality assurance and product security gets lost. Profit margins drive most business decisions. That is why it is so dangerous to over-inflate the price of secure software. Price inflation happens because businesses tend to confuse the costs required to ensure against exploitation with the much greater costs of producing a correct product. The fact that defects are a given in software does not change the ethical obligation of the maker to produce Antonio Drommi
[1]
Shin Ta Liu,et al.
Risk Modeling, Assessment, and Management
,
1999,
Technometrics.
[2]
Gary McGraw,et al.
Software Security Testing
,
2004,
IEEE Secur. Priv..
[3]
S.L. Cornford,et al.
DDP: a tool for life-cycle risk management
,
2006,
IEEE Aerospace and Electronic Systems Magazine.
[4]
Susan Hansche,et al.
Committee on National Security Systems
,
2005
.
[5]
Edward Colbert,et al.
Costing Secure Systems Workshop Report
,
2005
.
[6]
W. W. Royce,et al.
Managing the development of large software systems: concepts and techniques
,
1987,
ICSE '87.
[7]
Andrew P. Moore,et al.
A Risk-Management Approach to the Design of Survivable COTS-Based Systems
,
2001
.
[8]
Y. Haimes.
Risk Modeling, Assessment, and Management: Haimes/Risk Modeling, Assessment 2e
,
2005
.
[9]
R. Kaplan,et al.
The balanced scorecard--measures that drive performance.
,
2015,
Harvard business review.
[10]
Shawn A. Butler.
Security attribute evaluation method: a cost-benefit approach
,
2002,
ICSE '02.
[11]
G. Stoneburner,et al.
Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology
,
2002
.