WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Web App Sec ROI

From: securityarchitect () hush com
Date: Sat, 30 Nov 2002 11:13:10 -0800

Hmmm....maybe so for a mom and pops fish and bait shop but not for a real e-commerce site.

Heres my thinking of some of the steps that need to take place;

Investing incident and drafting writen report and recomendation
Invoking the incident response team
Reporting to senior management
Invoking corporate communications to prepare press statement
Report to FBI
Determine and recomend appropriate fix
Incident response team agree appropriate plan of action
Investigate incident (source etc)
Intigate fix
Test fix in dev
Test fix in QA
Test Fix in Pre-Prod
Fix in Prod
De-Brief

And thats just of the top of my head. 

The best reports I have seen that make really good reading are from GOCSI and SANS. 

www.gocsi.com/press/20020407.html

says 223 companies reported $455,848,000 costs in losses.

This SANS report http://rr.sans.org/malicious/cost_code.php references some great reports that say $1 in prevention 
will save on average between $100 to $1000 in incidents. 




On Sat, 30 Nov 2002 09:40:16 -0800 zeno <bugtraq () cgisecurity net> wrote:


In the same light as the Web App Sec Top Ten, does anyone know 

about any

good studies or want to share their thoughts about the ROI of 

getting

Web App Sec right in development ?

How much does it cost to fix a typical problem like XSS or SQL 

Injection

?



Probably 1 hour max for xss problems (per hole) and about 1-1.5 
hours for fixing
sql based holes. (I'm giving extra time). So you figure maybe 50-
150 a hour depending on who
your payin. (obviously people getting paid more are probably able 
to fix the problem is half, or 1/4th
the time).





How much does it cost each company for each incident (I see $16K 

for a

virus incident used often)?

How much does it cost to do a secure code review of a web app 

before

release ?


etc, etc


-- 
Mark Curphey <mark () curphey com>










Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Previous By Date Next
Previous By Thread Next

Current thread: