Is Secure Development Training worth it? The answer is a very clear YES! Talk to application security professionals that have implemented effective Secure Development Training and they will tell you it has been effective in just about eliminating whole classes of vulnerabilities.
So let’s calculate the ROI of Secure Development Training.
To simplify things, we are going to remove from the equation the cost savings on bug bounty programs, the intangible reduction of risk to the organization and the organization’s brand (which could include loss of customers), and the potential cost of a breach due to vulnerabilities in software (which costs $3.6 million on average).1
We'll focus on the nuts and bolts of the code itself.
Let's start by calculating the amount of code developers write in an average year. Estimates range from 10 lines of code (LOC) per day to 125 LOC per day.2 We will use the average to get 67.5 LOC. Assuming 250 working days with a 2 week vacation that is 18,125 LOC written in a year per developer.
So how many vulnerabilities does that average developer contribute to code? To answer that we look at the number of vulnerabilities per 1,000 LOC, or defect density. According to a study by Coverity they found a defect density of 0.44 to 0.98.3 These estimates are using the Coverity Scanner and open source code. Their scanner does not find all vulnerabilities so the estimates are low based on that alone. However, we will use the average of 0.71. Given these numbers we calculate that a developer will contribute approximately 12.86 vulnerabilities in code every year.
Let’s estimate that training is only 10% effective over the course of the year. This means that training will help reduce just 10% of vulnerabilities in code. We will use this for both the conservative and realistic estimate. Although we have found our training to have a higher effectivity rate. Using a conservative 10%, there is a reduction of 1.2 vulnerabilities per developer every year.
Let’s now translate that into time. One estimate is that it takes between 4 to 40 hours to fix a vulnerability when taking into account coming up with the code fix, coding it up, writing a unit test, re-testing with the fix, running the fixed code back through QA to make sure nothing unexpected broke, and finally re-running the pen test.4 We will use the average of 22 hours in our calculations. Multiplying this by 1.2 we get 26.4 hours are saved per developer.
One final number to consider. The average secure development training course takes about six hours to complete.
So those six hours of class time return 26.4 hours of saved developer time. That is a 4.4 times return or 4.4x ROI!
Secure development training helps release production code faster and is more than worth the time and cost of the class.