Justifying Security Testing in QA

Summary:

As corporate budgets remain tight, most of us are tired of always having to justify additional spending. When security testing pops up on your QA radar, you probably realize that more people and money are needed to make it a reality. But what your boss really wants to see in your plan is a return on investment. In this week's column, Ryan English will help you set up the facts before you try to justify security testing in QA to your manager.

Costs Versus ROI
Before estimating what security testing will cost, you have to understand the additional human resources that are needed. Many companies that test applications for security defects in QA do so at least twice for every planned release. The first automated test is run as soon as a build is delivered from the development team, so that security defects can be identified and assigned to developers for immediate remediation. The second scan is usually run on an updated build several days before the application is pushed to staging and production. The purpose of the second scan is to ensure that the previously identified security defects have been fixed and that no new security defects have been introduced by the development team.

The two-scan approach is common in organizations that are doing weekly or monthly production releases. An automated security test typically takes fifteen minutes to set up and a couple of hours to review security defects and assign to the appropriate developers. Most companies will expand the role of a current employee so that additional head count is not needed. Other organizations create a full-time QA security position that spans multiple projects, as a full-time QA security tester is usually too much for a single project. Estimating that a quarter of a QA professional's time is devoted to security testing is probably most accurate.

According to Career Builder, the average cost for a QA professional is $69,000 a year. When you have a QA person test for security vulnerabilities in a single application, you are looking at an added expense of $17,250 a year.

How Much Are Your Tools Worth?
Another important cost to include in your calculations is the price of any automated security assessment tool you may utilize. These assessment tools are usually priced per named user and are unlimited in the number of applications they can scan. Vendor prices for QA security products typically range from $4,000 to $12,000 per user, plus 20 percent of the cost for additional maintenance. If you take the average product, which costs $8,000 plus maintenance, and spread the costs across five years, you could be looking at a total product cost of $3,200 a year. Therefore you should expect that each project will cost roughly $20,450 per year to include security testing, which includes both product and human resource expenses.

Doing Nothing Can be Very Expensive
Now that the costs for security testing in QA are clearer, let's look at the cost of doing nothing in QA. Doing nothing really leaves your company with two options. The first is to wait until the application is in production and let a security auditor find defects. The second is to leave the work of finding security defects up to the hackers.

If you're familiar with the SDLC cost-justification curve, then you know it doesn't make sense to wait until production to find security vulnerabilities. Gartner states that the cost to fix a security vulnerability found in production is 6.5 times higher than one found in QA. A single security defect that may have cost only $150 if found in QA could easily cost an organization $975 if found in production. If your QA group finds a minimum of twenty-one security defects a year, then you will break even on your security investment.

If you choose to leave the work up to hackers, the potential damage costs are much higher. Card Systems, which once processed more than $15 billion annually in credit card transactions, closed its business and sold off assets after being involved in a major application-security breach. Card Systems is a worst-case scenario, of course, but other companies such as Eli Lilly, Victoria's Secret, and Go Daddy have all taken financial hits as a result of getting hacked. Victoria's Secret's Web site was shut down during the Christmas shopping season--and the company was fined $50,000 by the federal government--after hackers found an easy way to review customers' order information.

The Preventative Argument
All the information and arguments presented in this article should provide a good start to your efforts in justifying security testing in QA. It is cheaper to find vulnerabilities in QA than in production, and the cost of being hacked is almost immeasurable. Nobody wants to have a Web site shut down or customers' personal information revealed by a hacker. With these risks in mind, addressing security in QA makes perfect financial and business sense.

About the author

Ryan English

Ryan English is the group product manager for SPI Dynamics, where he oversees product strategy and direction for the company's development lifecycle security-testing products. Ryan is a seasoned speaker on the topic of Web application security testing and has spoken at several quality assurance industry events, including Software Test & Performance Conference, STAREAST, STARWEST, Mercury World, IBM Rational Conference, and various user groups and associations.