WebApp Sec mailing list archives
Re: Web App Sec ROI
From: securityarchitect () hush com
Date: Sat, 30 Nov 2002 11:13:10 -0800
Hmmm....maybe so for a mom and pops fish and bait shop but not for a real e-commerce site. Heres my thinking of some of the steps that need to take place; Investing incident and drafting writen report and recomendation Invoking the incident response team Reporting to senior management Invoking corporate communications to prepare press statement Report to FBI Determine and recomend appropriate fix Incident response team agree appropriate plan of action Investigate incident (source etc) Intigate fix Test fix in dev Test fix in QA Test Fix in Pre-Prod Fix in Prod De-Brief And thats just of the top of my head. The best reports I have seen that make really good reading are from GOCSI and SANS. www.gocsi.com/press/20020407.html says 223 companies reported $455,848,000 costs in losses. This SANS report http://rr.sans.org/malicious/cost_code.php references some great reports that say $1 in prevention will save on average between $100 to $1000 in incidents. On Sat, 30 Nov 2002 09:40:16 -0800 zeno <bugtraq () cgisecurity net> wrote:
In the same light as the Web App Sec Top Ten, does anyone knowabout anygood studies or want to share their thoughts about the ROI ofgettingWeb App Sec right in development ? How much does it cost to fix a typical problem like XSS or SQLInjection?Probably 1 hour max for xss problems (per hole) and about 1-1.5 hours for fixing sql based holes. (I'm giving extra time). So you figure maybe 50- 150 a hour depending on who your payin. (obviously people getting paid more are probably able to fix the problem is half, or 1/4th the time).How much does it cost each company for each incident (I see $16Kfor avirus incident used often)? How much does it cost to do a secure code review of a web appbeforerelease ? etc, etc -- Mark Curphey <mark () curphey com>
Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- Web App Sec ROI Mark Curphey (Nov 30)
- Re: Web App Sec ROI zeno (Nov 30)
- <Possible follow-ups>
- Re: Web App Sec ROI securityarchitect (Nov 30)