A customer asked if there are some numbers or studies about the costs of re-writing apps for better security vs. front-ending with AppFW. So, I did some researched by actually talking to people that develop the apps and security development managers and finance folks that do the budgeting. I went directly to my friends in the US-based areas who are developers/developer managers that write the apps. Here is what I found; one Development manager hired a 3rd party consultant to do the app analysis for all the vulnerabilities. Two consultants charged $230/hour and require 3 weeks to complete their assessments. So the cost just to know what the issues/vulnerabilities are went to around $55K for 3 weeks for one application. The next step for the Development manager is to fix the issues/vulnerabilities found. This would depend on # of issues found, what the scope of the issue is and the experience of the developer fixing them. Based on most experienced engineering consultant (US based), an engineer will charge around $100/hour. When I was in engineering, some bugs may take few hours and some bugs may take a few days and also take time for verifications. So the cost can vary tremendously between applications. For typical software releases I’ve done in the past at different companies, a maintenance window of bug fixes for a software release can be between 3 months to 6 months depending on # of developers. Based on a security developer’s experience in the US, let’s go with 2 engineers for 1 month plus 1 test engineer for 1 month for security bugs. Estimate for just the security fixes alone for one application will be around $48K (assuming the issues are not too difficult). Thus, a total of over $100K to assess the app and make the changes within 2 months with 3 engineers (with hope that all the issues found were all fixed and verified properly).
To top it all, after fixing all the issues/bugs/vulnerabilities, the Development manager need to maintain the app and ensure any new changes/additions also need to go through same process for security. Here is document from CPNI (Centre for the Protection of National Infrastructure) to give folks an idea on extensive processes that should be in place to ensure web applications are secure through implementation:
In summary, per this document, there are many processes to ensure security in the applications. This includes but not limited to the following:
– Creating security requirements, design and quality goals
– Incident response
– Incorporating security tools and processes to ensure less vulnerability from the beginning and through maintenance releases
With AppFW, the user can make rule changes immediately per application that they have set. A lot more adaptive as new vulnerabilities found for any apps and can be updated quickly without making changes to the apps. For more AppFW info such as NetScaler AppFW, click here.