Is Secure Development Training worth it? The answer is a very clear YES! Talk to application security professionals that have implemented effective Secure Development Training and you will hear that it has been effective in just about eliminating whole classes of vulnerabilities.
Let’s calculate the ROI of Secure Development Training. To simplify things, we are going to ignore the cost savings on bug bounty programs, the reduction of risk to the organization and the organization’s brand (which could include loss of customers), and the potential cost of a breach due to vulnerabilities in software (which costs $3.6 million on average).1
First, let’s calculate the amount of code that developers write in a year. Estimates range from 10 lines of code (LOC) per day to 125 LOC per day.2 We will use the average to get 67.5 LOC. Assuming 250 working days with a 2 week vacation that is 18,125 LOC written in a year per developer.
So how many vulnerabilities does that average developer contribute to code? To answer that we look at the number of vulnerabilities per 1,000 LOC, or defect density. According to a study by Coverity they found a defect density of 0.44 to 0.98.3 These estimates are using the Coverity Scanner and open source code. Their scanner does not find all vulnerabilities so the estimates are low based on that alone. However, we will use the average of 0.71. Given these numbers we calculate that a developer will contribute approximately 12.86 vulnerabilities in code every year.
Let’s estimate that training is only 10% effective over the course of the year. This means that training will help reduce just 10% of vulnerabilities in code. We will use this for both the conservative and realistic estimate. Although, we have found our training to have a higher effectivity rate. Using 10%, there is a reduction of 1.2 vulnerabilities per developer every year.
Let’s now translate that into time. One estimate is that it takes between 4 to 40 hours to fix a vulnerability when taking into account coming up with the code fix, coding it up, writing a unit test, re-testing with the fix, running the fixed code back through QA to make sure nothing unexpected broke, and finally re-running the pen test.4 We will use the average of 22 hours in our calculations. Multiplying this by 1.2 we get 26.4 hours are saved per developer.
So HackEDU’s 6 hour class returns 26.4 hours of time. That is a 4.4 times return or 4.4x ROI!
Secure Development Training can actually help release production code faster and is more than worth the time and cost of the class. So engineering organizations should be on board with having training because it will save time, they can release more code, and their product will have a better reputation with the reduction of vulnerabilities.