The ROI of developer driven security

Published Feb 03, 2023
by Secure Code Warrior
tl;dr?

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

small plant growing from a soil of coins
Learn how investment in developer-driven security will not only save on the expense of expensive breaches, the loss of productivity, and accumulated tech--debt, but create a proactive and cost-effective strategy to stay ahead of today’s threat landscape.
small plant growing from a soil of coins

The Cost of Poor Code 

Leaps in technology are making it easier than ever for developers to ship code faster than ever before. This can be exciting for innovation, but daunting when it comes to scaling up the quality and security in software. Justifying the costs of additional tools, training programs, and investment in upskilling developers can seem like a “nice-to-have” vs. a critical business function if the velocity of the code being shipped is maintained.  

Shipping code faster may have gotten easier, but unfortunately shipping secure code hasn't -  leaving organizations vulnerable to more threats than ever. The cost of cybercrime is staggering across the globe, and it’s rapidly increasing. In fact, in 2020, the cost of cybercrime was approximately $1 Trillion. On average the cost of a data breach is $4.35M - spreading across lost business from current customers and potential customers, as well as resources spent handling the detection, escalation and rework. 

Despite these astronomical costs, over half of organizations do not require developers to do formal secure-code training annually.

Security professionals all know that it can feel like playing a game of whack-a-mole when it comes to finding and fixing vulnerabilities. Even if you already have a security program with a remediation strategy, there's always an opportunity for improvement. Most organizations find that when their disaster recovery or backup capability is put to the test, their approach to security is not as robust as they once thought. If strengthening your organization’s resilience from cyberattacks is one of your top priorities, shifting the perspective left to your developers should be within your plans to continue improving your security posture. A skilled, empowered developer team that builds secure code from the start, and is knowledgeable enough to locate and fix vulnerabilities rapidly is your most cost-effective means of mitigating risk.   

A misconception when it comes to developer education is that it's simply a cost to the business or even an insurance policy. According to Klaus Klaus Klinger, DevSec Awareness Evangelist at Allianz, “The whole thing has to start in the heads of management. Investing in the training of developers is not a lost investment, but an investment into quality, productivity, and the reputation of the company”.

ROI can often be difficult to quantify in this space, but ultimately what organizations should be thinking about is how their security posture helps them to reduce risk, streamline their approach, and save time and productivity for their developer teams. 

How can one Quantify ROI in Cybersecurity Costs?

When it comes to ROI, it’s important to think about it in two different frames: the cost savings of mitigating risk vs. the impact of your security training.

Let’s consider this all-too-common example: a vulnerability or breach causes an e-commerce site to be forced offline for several days while its teams search for the problem and how to fix it. The cost of the failure to remediate can be quantified in lost revenue during the outage, the impact of stolen credentials, the loss of customer trust (resulting in long-term reduced sales), and the overall productivity lost while fixing the problem. 

This really boils down to a cost/benefit analysis. The key areas you will want to assess are your company’s security maturity level, your company’s risk acceptance levels, and the areas in your code that need to be maintained or improved.

People often focus on the wrong metrics to determine success and value. Perhaps we should concern ourselves less with the return on the initial investment of the program, and instead, measure the impact of the program itself. 

Measure to Prove Impact

In order to establish ROI, you have to create measurable goals. This begins with assessing your developers’ secure coding knowledge and understanding where they need to grow their skills. 

A starting point would be to measure engagement to help you to make strategic decisions as to how to build richer training programs. Most importantly - measure the impact. Start by looking at the number of weaknesses that get picked up in the software development life cycle through code analysis, bug bounties, or classic vulnerability testing before you start the program in each team. One of the simplest ways to know your training program is having the desired outcome is by measuring the decrease in vulnerabilities being introduced into your codebase overall.

Top Questions to Assess ROI:

1. Are we streamlining our approach?

Are you throwing more tools at the problem or solving it at its root cause? Adding more tools to your tech stack creates a “swiss cheese” method approach to finding and fixing vulnerabilities. They also increase operational costs with little impact on the source of many vulnerabilities - the code. Though scanning and pentesting tools should absolutely be a part of your arsenal, they should not be your last line of defense. 

2. Are we improving efficiency and productivity?

Time spent on exhaustive code reviews and reworks from code sent back from AppSec can result in a major loss of productivity. Reducing fire drills by empowering and enabling developer teams to be hands-on with their secure code training should be a good benchmark for assessing the positive impact of your security program. 

3.Are we lowering risks?

Finding and fixing a vulnerability can be like solving a large puzzle, which sometimes can take days, weeks, or even months to complete with a robust solution. Empowering developers to own remediation at the source lets AppSec focus on risk monitoring and strengthening the security posture of the organization.

4. Are we increasing velocity (but still maintaining quality)?

Shipping code quickly is not always a good thing. Cutting corners and introducing vulnerabilities into the code can create many headaches in the future and accumulate technical debt. Short-term thinking is not the answer here. One can mitigate risk by securing their code from the start, so that the problem doesn’t compound itself in the future. 

Recommended Metrics to Track:  

  • Engagement - how much time are you budgeting for training and how are developers engaging? Are they completing courses, assessments, and participating in tournaments? 
  • Skills - where are the areas of strength? What areas have you identified as needing improvement? 
  • Vulnerability reduction - have you noticed a measurable decrease in vulnerabilities during code review? Are you seeing less rework come back from AppSec? 
  • Productivity - how long does it take to remediate an issue? Have you noticed an increase in productivity or velocity with vulnerability reduction? 


Create Value By Shifting Left

Breaches and vulnerabilities have been rapidly increasing each year. It's important to start proactively building a holistic approach to security - starting first with your code. This will help to: 

  • Reduce complexity by investing in your most valuable resources - your people, instead of throwing money at tools that only solve part of the problem 
  • Improve efficiency and overall effectiveness by limiting rework or fixes that would normally be identified by AppSec after the code is deployed 
  • Mitigate risk and achieve compliance, avoiding costly fines, the loss of customer trust, or worse - the cost of a data breach 

Avoid short-term thinking and quick fixes. They can only result in technical debt and more costs down the road. Plan for the long term by harnessing the power of upskilling and enabling your developers to be your best line of defense against vulnerabilities and cybercrime, and see the impact and cost savings for yourself.

View Resource

Interested in learning more?

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demo
Want more?

Dive into onto our latest secure coding insights on the blog.

Our extensive resource library aims to empower the human approach to secure coding upskilling.

View Blog
Want more?

Get the latest research on developer-driven security

Our extensive resource library is full of helpful resources from whitepapers to webinars to get you started with developer-driven secure coding. Explore it now.

Resource Hub

The ROI of developer driven security

Published Feb 03, 2023
By Secure Code Warrior

The Cost of Poor Code 

Leaps in technology are making it easier than ever for developers to ship code faster than ever before. This can be exciting for innovation, but daunting when it comes to scaling up the quality and security in software. Justifying the costs of additional tools, training programs, and investment in upskilling developers can seem like a “nice-to-have” vs. a critical business function if the velocity of the code being shipped is maintained.  

Shipping code faster may have gotten easier, but unfortunately shipping secure code hasn't -  leaving organizations vulnerable to more threats than ever. The cost of cybercrime is staggering across the globe, and it’s rapidly increasing. In fact, in 2020, the cost of cybercrime was approximately $1 Trillion. On average the cost of a data breach is $4.35M - spreading across lost business from current customers and potential customers, as well as resources spent handling the detection, escalation and rework. 

Despite these astronomical costs, over half of organizations do not require developers to do formal secure-code training annually.

Security professionals all know that it can feel like playing a game of whack-a-mole when it comes to finding and fixing vulnerabilities. Even if you already have a security program with a remediation strategy, there's always an opportunity for improvement. Most organizations find that when their disaster recovery or backup capability is put to the test, their approach to security is not as robust as they once thought. If strengthening your organization’s resilience from cyberattacks is one of your top priorities, shifting the perspective left to your developers should be within your plans to continue improving your security posture. A skilled, empowered developer team that builds secure code from the start, and is knowledgeable enough to locate and fix vulnerabilities rapidly is your most cost-effective means of mitigating risk.   

A misconception when it comes to developer education is that it's simply a cost to the business or even an insurance policy. According to Klaus Klaus Klinger, DevSec Awareness Evangelist at Allianz, “The whole thing has to start in the heads of management. Investing in the training of developers is not a lost investment, but an investment into quality, productivity, and the reputation of the company”.

ROI can often be difficult to quantify in this space, but ultimately what organizations should be thinking about is how their security posture helps them to reduce risk, streamline their approach, and save time and productivity for their developer teams. 

How can one Quantify ROI in Cybersecurity Costs?

When it comes to ROI, it’s important to think about it in two different frames: the cost savings of mitigating risk vs. the impact of your security training.

Let’s consider this all-too-common example: a vulnerability or breach causes an e-commerce site to be forced offline for several days while its teams search for the problem and how to fix it. The cost of the failure to remediate can be quantified in lost revenue during the outage, the impact of stolen credentials, the loss of customer trust (resulting in long-term reduced sales), and the overall productivity lost while fixing the problem. 

This really boils down to a cost/benefit analysis. The key areas you will want to assess are your company’s security maturity level, your company’s risk acceptance levels, and the areas in your code that need to be maintained or improved.

People often focus on the wrong metrics to determine success and value. Perhaps we should concern ourselves less with the return on the initial investment of the program, and instead, measure the impact of the program itself. 

Measure to Prove Impact

In order to establish ROI, you have to create measurable goals. This begins with assessing your developers’ secure coding knowledge and understanding where they need to grow their skills. 

A starting point would be to measure engagement to help you to make strategic decisions as to how to build richer training programs. Most importantly - measure the impact. Start by looking at the number of weaknesses that get picked up in the software development life cycle through code analysis, bug bounties, or classic vulnerability testing before you start the program in each team. One of the simplest ways to know your training program is having the desired outcome is by measuring the decrease in vulnerabilities being introduced into your codebase overall.

Top Questions to Assess ROI:

1. Are we streamlining our approach?

Are you throwing more tools at the problem or solving it at its root cause? Adding more tools to your tech stack creates a “swiss cheese” method approach to finding and fixing vulnerabilities. They also increase operational costs with little impact on the source of many vulnerabilities - the code. Though scanning and pentesting tools should absolutely be a part of your arsenal, they should not be your last line of defense. 

2. Are we improving efficiency and productivity?

Time spent on exhaustive code reviews and reworks from code sent back from AppSec can result in a major loss of productivity. Reducing fire drills by empowering and enabling developer teams to be hands-on with their secure code training should be a good benchmark for assessing the positive impact of your security program. 

3.Are we lowering risks?

Finding and fixing a vulnerability can be like solving a large puzzle, which sometimes can take days, weeks, or even months to complete with a robust solution. Empowering developers to own remediation at the source lets AppSec focus on risk monitoring and strengthening the security posture of the organization.

4. Are we increasing velocity (but still maintaining quality)?

Shipping code quickly is not always a good thing. Cutting corners and introducing vulnerabilities into the code can create many headaches in the future and accumulate technical debt. Short-term thinking is not the answer here. One can mitigate risk by securing their code from the start, so that the problem doesn’t compound itself in the future. 

Recommended Metrics to Track:  

  • Engagement - how much time are you budgeting for training and how are developers engaging? Are they completing courses, assessments, and participating in tournaments? 
  • Skills - where are the areas of strength? What areas have you identified as needing improvement? 
  • Vulnerability reduction - have you noticed a measurable decrease in vulnerabilities during code review? Are you seeing less rework come back from AppSec? 
  • Productivity - how long does it take to remediate an issue? Have you noticed an increase in productivity or velocity with vulnerability reduction? 


Create Value By Shifting Left

Breaches and vulnerabilities have been rapidly increasing each year. It's important to start proactively building a holistic approach to security - starting first with your code. This will help to: 

  • Reduce complexity by investing in your most valuable resources - your people, instead of throwing money at tools that only solve part of the problem 
  • Improve efficiency and overall effectiveness by limiting rework or fixes that would normally be identified by AppSec after the code is deployed 
  • Mitigate risk and achieve compliance, avoiding costly fines, the loss of customer trust, or worse - the cost of a data breach 

Avoid short-term thinking and quick fixes. They can only result in technical debt and more costs down the road. Plan for the long term by harnessing the power of upskilling and enabling your developers to be your best line of defense against vulnerabilities and cybercrime, and see the impact and cost savings for yourself.

Enter your details to access the full report.

We would like your permission to send you information on our products and/or related secure coding topics. We’ll always treat your personal details with the utmost care and will never sell them to other companies for marketing purposes.

Oopsie daisy