Understanding Tangible ROI Through Secure Software Engineering

Sadly in this day and age, most application security is bolted on after a product is launched. It is weird but generally accepted software engineering principles hold that software flaws are less expensive to fix earlier in the application development process, but the same thinking isn't applied for application security. People don't understand how a properly documented threat model can really expose an application through its threat profile and find more critical vulnerabilities before a product launches, which has a similar cost/benefit as the ROI for finding normal software flaws. (In my opinion even more savings due to reputation and credibility loss, customer risk etc that are more exposed when not done)

There is a short paper on the subject that examines if cost savings justify an early investment in secure software engineering. Entitled Tangible ROI Through Secure Software Engineering it examines return on security investment by looking at security defect remediation costs and cost multipliers to the entire process.

The paper itself was published back in 2001, but the content still applies today. If you have any interest in understanding if there is a tangible ROI in secure software programming, consider reading this paper.