Finally, a Real Return on Security Spending

Right now, Hoover contains more than 500 data entries from nearly 100companies. Participants in the study, such as Bedford, Mass.-based RSAand Fairfax, Va.-based WebMethods, wanted to assess how securely theywere building their software and how to do it better.

First, the Hoover group focused on the ROSI of secure softwareengineering. The group wanted to prove a concept that seems somewhatintuitive: The earlier you build security into the softwareengineering process, the higher your return on that investment. Andprove it they did.

It took 18 months of letting Hoover suck up data from @Stake's clientsto create a representative sample of the entire software landscape.Data in hand, they looked for previous research to base their work on.There was little, so they made a critical assumption, which unlockedthe study's potential. The team decided that a security bug is nodifferent than any other software bug.

Suddenly, security was a quality assurance game, and there was a tonof existing data and research on quality assurance and software. Forexample, one bit of research they used came from a widely accepted1981 study that said that spending a dollar to fix a bug (any bug) inthe design process saves $99 against fixing it duringimplementation.

"The idea of security software as quality assurance is extremely new,"according to team member and Stanford economics PhD Kevin Soo Hoo."Security has been an add-on at the last minute, and detectingsecurity problems has been left to users." And, of course,hackers.