Skip to main content
March 2, 2015

How Code Review Best Practices Saved One Company Millions

How Code Review Best Practices Saved One Company MillionsIf you've read this blog before, you already understand the security benefits of frequently reviewing code and other vulnerabilities early and often. But implementing code review best practices has other benefits beyond software security. When it comes to the bottom line, it can bring big positives — often without forcing any major changes to company operations.

For proof, look no further than this recent Veracode/Forrester case study, in which committing to code review best practices helped a Global 2000 financial services company secure outsourced and internally developed applications, ultimately improving the business's finances. Even if changing to a more secure mindset isn't a big concern for your company (and it should be), the impacts described here might change your mind about the benefits of fixing early and fixing often.

$3 Million: Costs Saved on Manual Security Assessments

Manual testing can get expensive really fast. Just look at the M after the number 3. There are more than a few execs who'd go to extreme lengths to shave $3 million off their company's operational costs, let alone off one department's spending.

Part of the savings came from the ability to fix flaws early during development because automated testing is more easily integrated with development tools. The longer you wait to find and address security flaws, the more expensive they are to fix. Waiting until after deployment to catch errors is a vestigial practice from the old days of software development.

To that end, while fixing legacy applications doesn't fall under the "fix early" banner by definition, note that the study includes the cost of remediating older (but still crucial) software in that $3 million savings. Here, the trick was binary static analysis. Since the company couldn't access the source code of many legacy apps it depended on, it relied on a manual approach — at least it did until static testing made it easier to catch vulnerabilities and mitigate them without having access to source code.

Couple that with the added security benefits of a hardened application layer (where attackers are most likely to strike), and you'll see that your firm has no reason not to arm those older apps against future threats.

$2 Million: Costs Saved on Vulnerabilities in Third-Party Code

The same benefits that apply to first-party apps apply to outsourced software. Tracking and logging vulnerabilities for future updates can be costly, as can retesting once live software is updated; catching those same errors earlier (and doing it via an automated, continuous system) saved the company in Veracode and Forrester's study $1.98 million.

Catching errors early also improved the quality of the firm's third-party code by 60 percent, another huge benefit on the bottom line. Objective, number-based scorecarding makes it easier for companies to negotiate future projects with their third-party vendors, potentially reducing future costs and incentivizing partners to improve the quality of their work even as they develop. Considering the costs saved by general skill improvement, it's easy to see how one improvement in code review best practices can influence others.

$1 to $2 Million: Costs Saved by Improved Development Skill and Speed

Software developers everywhere are staunchly focused on time to market because it's one of the most impactful figures on a company's bottom line. Adhering to code review best practices like fixing early and often saved the Global 2000 financial services firm somewhere between $976,200 and $1,952,400, a fact which illustrates the importance of catching security errors as early in the SDLC as possible and remediating the conceptual mistakes that cause them.

The benefits here are cyclical. When a company introduces a new application to existing workflows, it's because that application will either make money or save money for the company. As a result, introducing that product as quickly as possible is a top priority. On the other side, less time spent developing software is less time spent paying for a given project. And finally, on-demand coaching and tailored remediation help prevent similar errors in the future, further cutting development costs on future projects.

More Secure — and More Lucrative

It's easy to get caught up in the immediate perks of enhanced security, but these bottom-line benefits are nothing to scoff at. Perhaps even more surprising? The numbers listed here aren't the whole story: Committing to a "fix early, fix often" mindset reduced the financial firm's cost per error by $60, for instance, and drastically reduced the number of errors per megabyte in future projects on top of that.

The benefits of a secure mindset are immediately noticeable, whether your professional interests lie in code or cash. Saving money by implementing better security practices may sound like a strange goal — but it isn't an unobtainable one, as these numbers show.

Photo Source: Flickr

Related Content

Evan Wade is a professional freelance writer, author, and editor from Indianapolis. His time as a sales consultant with AT&T, combined with his current work as a tech reporter, give him unique insight into the world of mobile/Web security and the steps needed to properly secure software products. Follow him on Twitter.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.