LOGBOOK

HELP

1 / 318
time's up — finish this card
Other keys: showSpace: good1-4: rate0: skip5: flag6: invert
Topic Security Requirements Fundamentals

Question

How does the cost of fixing a security bug change depending on when it's discovered in the software development lifecycle?

Answer

The later you find it, the more it costs — roughly exponential, from x1 in requirements to hundreds of times more in operations.

The cost climbs because a late-discovered flaw has already been built into design decisions, code, tests, documentation and live data — all of which must be unwound and re-verified:

Phase Cost Multiplier
Requirements x1 (reference)
Design x3 to x8
Build x7 to x16
Test x21 to x78
Operations x29 to x1615 (mean x250)

Key takeaway: Fix security issues early - it's much cheaper to address them during requirements than in production.

or press any other key