1 / 318
time's up — finish this card
Other keys: show •
Space: good •
1-4: rate •
0: skip •
5: flag •
6: invert
Topic
Security Requirements Fundamentals
Question
How does the cost of fixing a security bug change depending on when it's discovered in the software development lifecycle?
Answer
The later you find it, the more it costs — roughly exponential, from x1 in requirements to hundreds of times more in operations.
The cost climbs because a late-discovered flaw has already been built into design decisions, code, tests, documentation and live data — all of which must be unwound and re-verified:
| Phase | Cost Multiplier |
|---|---|
| Requirements | x1 (reference) |
| Design | x3 to x8 |
| Build | x7 to x16 |
| Test | x21 to x78 |
| Operations | x29 to x1615 (mean x250) |
Key takeaway: Fix security issues early - it's much cheaper to address them during requirements than in production.
or press any other key
Note saved — thanks!