UK business typically spends 75% of software development budgets on eliminating security flaws, according to IT...
cost studies by security firm Comsec Consulting.
This means £750,000 is lost to fixing security flaws found late in the process for every £1m spent on software development by medium to large organisations.
Comsec has developed an on-demand service for new application code testing and analysis that the firm claims has cut code remediation costs by half for early adopters.
On-demand code analysis services typically reduce costs by eliminating the need for businesses to invest in costly code review software with annual licensing fees.
But Comsec's Codefend service, launched today, is aimed at providing a more comprehensive review than competitors.
The service aims to achieve this by combining automated standard testing with customised testing and human analysis.
The Codefend service includes detailed questionnaires on the authentication and authorisation processes used by each customer software development team.
These are used to construct customised tests ahead of the analysis process to identify weaknesses such as potential backdoors, which standard tools typically do not detect.
The customised tests are run on customer source code with standard tests for security vulnerabilities to common attack types like buffer overflows and cross-site scripting.
"Once the tests are run, the human analysis team eliminates false positives to identify only real vulnerabilities," said Stuart Okin, managing director at Comsec UK.
Codefend is aimed at opening up to all companies in-depth software reviews previously available only to developers at big software firms, said Okin.
Ed Gibson, chief security officer at Microsoft UK, said the service will enable more organisations to adopt secure development processes.
Secure coding from the very start of software development processes has delivered significant gains for Microsoft.
"Windows Vista is a classic example of the success of secure development, with no meaningful [security] compromises since its release three years ago," said Gibson.
Vista was the first version of Microsoft's Windows operating system to be developed from start to finish using the firms security development lifecycle (SDL) processes.
"Comsec's Codefend offers businesses what many would either not have thought of before or could not afford. Now there is little excuse not to check code in development," said Gibson.