The effects of required security on software development effort

Abstract

The software industry has been under pressure to adopt security practices and reduce software vulnerabilities. But despite recognizing the importance of secure software development, such practices have not been broadly embraced. Costs are frequently pointed out as a barrier, although studies show that there is a lack of knowledge about the amount of resources needed to achieve a determined level of security assurance. This study quantifies the effort required to develop secure software in increasing levels of rigor and scope. We first developed an ordinal scale to quantify the degree of application of security practices. Next, we built a statistical cost model based on a data set with 1140 maintenance projects from two large companies. The model calibration revealed that the application of software security practices can impact the cost estimations ranging from 19% additional effort, on the first level of the scale, to 102% additional effort, on the highest level of the scale. These results suggest that the effort required to develop secure software is lower than it was estimated in previous studies, especially when considering the domain of Information Systems. This research builds on previous works on cost models for secure software development and goes one step further by providing empirical validation. The resulting model can be used by practitioners to estimate proper resources for adopting security practices. Additionally, the validated cost multipliers are an important piece of information for the research on secure software development investment models.