Software Security Programs May Not Be Worth the Investment for Many Companies

SAN FRANCISCO–The discipline of software security has been gaining traction in a lot of organizations both large and small in recent years, thanks in part to the success that vendors such as Microsoft, Adobe and others have had with it. However, for many companies, the time and money spent on software security initiatives could be put to better use simply fixing flaws after products ship or are deployed, an expert said during a constructed debate.

SAN FRANCISCO–The discipline of software security has been gaining traction in a lot of organizations both large and small in recent years, thanks in part to the success that vendors such as Microsoft, Adobe and others have had with it. However, for many companies, the time and money spent on software security initiatives could be put to better use simply fixing flaws after products ship or are deployed, an expert said during a constructed debate.

For large software companies or major corporations such as banks or health care firms with large custom software bases, investing in software security can prove to be valuable and provide a measurable return on investment, but that’s probably not the case for smaller enterprises, said John Viega, executive vice president of products, strategy and services at SilverSky and an authority on software security. Viega, who formerly worked on product security at McAfee and as a consultant at Cigital, said that when he was at McAfee he could not find a return on investment for software security.

“As far as we could measure, it was an absolute waste of money,” he said during a panel discussion with Brad Arkin, the senior director of security, standards, open source and accessibility at Adobe, at the RSA Conference here Wednesday. The panel was a constructed argument, with Viega taking the devil’s advocate position that software security programs are not worth the investment. “For most companies it’s going to be far cheaper and serve their customers a lot better if they don’t do anything [about security bugs] until something happens. You’re better off waiting for the market to pressure on you to do it.”

Viega said that during one of the years he was at McAfee, the company had three publicly disclosed security flaws and it cost less than $50,000 total to deal with all three, including communications, QA and other costs. A comprehensive software security program, by contrast, could cost seven figures and produce even more costs in terms of productivity losses, he said.

“There’s a whole class of companies where it doesn’t make sense to do anything, or just to do the bare minimum,” Viega said.

However, for a company such as Adobe, whose products run on more than a billion PCs and are under constant assault from attackers and security researchers, it’s a story. There, software security is a major part of the product development process and also includes training for developers.

“An exploit that works against Reader or Flash puts more than a billion computers at risk. The cost of getting those fixes out is so high that we need to invest everything we can to fix those problems before we ship,” said Arkin. “We train far and wide. The chances are that most people who come to us have no security training, so raising the security IQ is a really good thing in our environment.”

Arkin said that while Adobe spends considerable time and money every year finding and fixing vulnerabilities in its products, that doesn’t mean that his team obsesses about every small flaw. Rather, they spend their time looking for ways to defeat attackers’ exploits against large swaths of bugs.

“If you’re fixing every little bug, you’re wasting the time you could’ve used to mitigate whole classes of bugs,” he said. “Manual code review is a waste of time. If you think you’re going to make your product better by having a lot of eyeballs look at a lot of code, that’s the worst use of human labor.”

The security development lifecycle processes used at some large software companies–notably Microsoft–also probably aren’t the best use of resources for smaller development organizations, Viega said.

“I know dozens and dozens of companies who look at the SDLC and say, ‘Are you kidding me? This would put me out of business.’ Training is a total waste of money. Most people don’t want to be in the room. Training the average developer is an absolute waste of time,” Viega said.

Fixing the problem of vulnerabilities in commercial software has been a topic in the industry for decades, and there has been some talk in recent years of the possibility of legislation to address it. Both Viega and Arkin said that any law designed to regulate software security would be useless.

“Legislation is a terrible idea. I have three letters for you: PCI. Thank God we’ve never had another credit card compromise after that was put in place,” Arkin said, referring to the PCI-DSS security standard developed by the payment card providers. Any legislation would be so outdated by the time it’s printed it would be laughable. Would anyone want to see the government’s language on preventing buffer overflows?”

This post was edited on Feb. 28 to clarify that the panel was a constructed debate.

Suggested articles


  • Atavistic Jones on

    Is he trying to troll?

    Good to hear devil's advocate arguments, but... McAfee is a security company, if they have a security issue, they can blow it off. So what if there are unknown security issues in our software? It effects our customers, not us!

    I know for a fact McAfee was doing security before Viega was there. So, how can you measure security bugs not found because proper security was in place? One thing he could do is (childish voice) "use your imagiinnnaaation".

    They have a popular IPS, if there was a major unknown security hole in that found, likely could be remote compromise. Remote compromise of all McAfee IPS products would be bad.

    But they have secure code so that did not happen.

    He could try looking at costs in that way.

    Isn't that in "duh" territory?

    Legislation... that just effects the US. They could pass laws, or simply continue to sue companies that are negligent in damage. Like the FCC did with HTC just the other day. Or allow consumers to sue companies who were negligent -- despite whatever EULA may be in place.


  • Visitor on

    If the developers never get trained on securing their code, how does the industry ever get past the swiss cheese state that it is in?  This isn't a technical problem, it is a culture problem.


  • Anonymous on

    Okay, it doesn't make financila sense then for smaller companies to devote excessive time to making their software secure.  However, it does make sense for them to ensure that their software meets minimum standards of useablilty and general security.  I'm sure there are tools available for this--including tools that can check for common exploits like SQL injection, etc..  I would also expect that industry organizations can help their members meet the minimum standards.




  • D.v.H. on

    Adobe has success with software security ? did i miss something ?? they fail(ed) to get their high profile flash-plugin and acrobat reader secure - high priority patches twice a month.

    "...doesn't mean that his team obsesses about every small flaw" - wrong mindset - fire them all! These are the guys who keep the doors wide open for hackers from china, ukraine, russia, iran and elsewhere.

    " .. Training the average developer is an absolute waste of time, .. "  - so he admits Adobe has untrained average programmers working on software deployed on hundreds of millions of computers.

    McAfee? So they dont have a real software security program? they react rather then prevent? that might have been possible in the early 90's - but not in these days of stuxnet and it's younger siblings. - sorry - this disqualifies McAfee for serious applications.


  • Matt Bateman on

    Seems to me the problem isn't solely the cost... and why is it a bad thing that companies who choose to take short cuts and produce crappy code putting their customers at risk go out of business? Sounds like natural selection to me. If I get hacked because of using a specific program/website/app, then I am likely never using that program again. This point (at least in the article) is completely glossed over, and given the increasing cost of customer acquisition, plethora of comparable options and consumer 'fickleness' this is certainly relevant.

    IMO as someone who has been in charge of implementing such a program for a global organization, Software security is simply the natural extension of quality control and quality management. However, it is incredibly difficult to justify the upfront costs especially if there has been minimal previous investment without consequence. Not to mention how hard it is to actually implement a successful program and measuring the results. There is still a massive gap in understanding at the C-level and a significant lack of social responsibility in this area.

    While, I agree that legislation isn't the right answer, at least in the USA we have significant laws that cover class actions against companies that produce defective products, which includes defects related to forseeable misuse of the purchased product. Seems like software companies should have to face the same circumstances as producers of physical goods... then the 'value' would be obvious and ROI calculations or more likely cost-benefit scenarios would force them into line.

    It would be a lot easier to justify a few more employees or $$$ if the threat of potentially bankrupting lawsuits hung overhead...

  • Anonymous on

    I would love to know how the panelist arrived at $50,000 figure. How does he measure loss of a users credit card number? How do you measure bad press? Even if we buy his number ($50,000), that is the cost to deal with the issue, not necessarily the cost to the organization. If a software flaw allows a user to buy 5  products at the price of 1 and the cost of "fixing" the flaw is $50,000, the amount of money the company lost is 50,000 + (cost of 4 items) * (number of times the vulnerability was exploited). 

  • Raju on

    Data storage how it is important for us, data security,protection,maintainance is also important.
  • Anonymous on

    What a dumb argument .. (Viega's ROI estimate)

    Of course the ROI is small when you don't take into account the financial damage caused to your customers, which you should. Moreover, building an inherently unsecure product by a security company is the craziest idea I've heard so far.

  • Anonymous on

    McAfee the company has about as much creditibility left as its founder does for good citizenship. The company was alway a bunch of marketing hustlers. Use your head, don't listen to fools, and whatever you do, don't give those folks your money.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.