If you've read this blog before, you already understand the security benefits of frequently reviewing code and other vulnerabilities early and often. But implementing code review best practices has other benefits beyond software security. When it comes to the bottom line, it can bring big positives — often without forcing any major changes to company operations.
For proof, look no further than this recent CA Veracode/Forrester case study, in which committing to code review best practices helped a Global 2000 financial services company secure outsourced and internally developed applications, ultimately improving the business's finances. Even if changing to a more secure mindset isn't a big concern for your company (and it should be), the impacts described here might change your mind about the benefits of fixing early and fixing often.
Manual testing can get expensive really fast. Just look at the M after the number 3. There are more than a few execs who'd go to extreme lengths to shave $3 million off their company's operational costs, let alone off one department's spending.
Part of the savings came from the ability to fix flaws early during development because automated testing is more easily integrated with development tools. The longer you wait to find and address security flaws, the more expensive they are to fix. Waiting until after deployment to catch errors is a vestigial practice from the old days of software development.
To that end, while fixing legacy applications doesn't fall under the "fix early" banner by definition, note that the study includes the cost of remediating older (but still crucial) software in that $3 million savings. Here, the trick was binary static analysis. Since the company couldn't access the source code of many legacy apps it depended on, it relied on a manual approach — at least it did until static testing made it easier to catch vulnerabilities and mitigate them without having access to source code.
Couple that with the added security benefits of a hardened application layer (where attackers are most likely to strike), and you'll see that your firm has no reason not to arm those older apps against future threats.
The same benefits that apply to first-party apps apply to outsourced software. Tracking and logging vulnerabilities for future updates can be costly, as can retesting once live software is updated; catching those same errors earlier (and doing it via an automated, continuous system) saved the company in CA Veracode and Forrester's study $1.98 million.
Catching errors early also improved the quality of the firm's third-party code by 60 percent, another huge benefit on the bottom line. Objective, number-based scorecarding makes it easier for companies to negotiate future projects with their third-party vendors, potentially reducing future costs and incentivizing partners to improve the quality of their work even as they develop. Considering the costs saved by general skill improvement, it's easy to see how one improvement in code review best practices can influence others.
Software developers everywhere are staunchly focused on time to market because it's one of the most impactful figures on a company's bottom line. Adhering to code review best practices like fixing early and often saved the Global 2000 financial services firm somewhere between $976,200 and $1,952,400, a fact which illustrates the importance of catching security errors as early in the SDLC as possible and remediating the conceptual mistakes that cause them.
The benefits here are cyclical. When a company introduces a new application to existing workflows, it's because that application will either make money or save money for the company. As a result, introducing that product as quickly as possible is a top priority. On the other side, less time spent developing software is less time spent paying for a given project. And finally, on-demand coaching and tailored remediation help prevent similar errors in the future, further cutting development costs on future projects.
It's easy to get caught up in the immediate perks of enhanced security, but these bottom-line benefits are nothing to scoff at. Perhaps even more surprising? The numbers listed here aren't the whole story: Committing to a "fix early, fix often" mindset reduced the financial firm's cost per error by $60, for instance, and drastically reduced the number of errors per megabyte in future projects on top of that.
The benefits of a secure mindset are immediately noticeable, whether your professional interests lie in code or cash. Saving money by implementing better security practices may sound like a strange goal — but it isn't an unobtainable one, as these numbers show.
Photo Source: Flickr