Quiz Entry - updated: 2026.07.14
How does the cost of fixing a security bug change depending on when it's discovered in the software development lifecycle?
The later you find it, the more it costs — roughly exponential, from x1 in requirements to hundreds of times more in operations.
The cost climbs because a late-discovered flaw has already been built into design decisions, code, tests, documentation and live data — all of which must be unwound and re-verified:
| Phase | Cost Multiplier |
|---|---|
| Requirements | x1 (reference) |
| Design | x3 to x8 |
| Build | x7 to x16 |
| Test | x21 to x78 |
| Operations | x29 to x1615 (mean x250) |
Key takeaway: Fix security issues early - it's much cheaper to address them during requirements than in production.