“If you take the big, monolithic testing effort you currently have at the end, and you push it towards the beginning but it remains monolithic, you’re not going to get the dramatic increase in efficiency and decrease in cost you expect. It has to be an incremental effect.” — John Steven
One of the things I have recently been investigating is the true cost, the real cost, of security and how that changes based upon where in the application life cycle you are. I was talking with John Steven from Cigital and we agreed it might be good to record our thoughts to see where it leads.
“With security, it’s not a question of how far left you can get. It’s really a question of are you doing the right things at each step.” — John Steven
Listen to the full Interview: John Steven – Measuring the Cost of Application Security
Highlights of our Discussion
00:45 – Source of current graphs on cost of application security
03:45 – How can you prove cost savings when including security earlier in the application life cycle
06:30 – Process vs technology
07:45 – How early in development should security be inserted
09:25 – Incremental security within the development process
12:17 – How do you measure the effect and efficiency of moving left
About John Steven, Internal CTO
John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing.
As a consultant, John has provided strategic direction to many multi-national corporations, and his keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, and led the Northern Virginia OWASP Chapter.
John contributed to the Hacking Exposed Mobile book, and speaks with regularly at conferences and trade shows.