Software has always been risky business compared to more mature industries such as telecommunications and manufacturing. Historically, software has seen more canceled projects, higher costs and more frequent schedule overruns than any other industry.
Today in 2016 we are also on the forefront of receiving an increasing amount of cyber-attacks in many different forms such as denial of service, data theft, phishing and the like. Of course, other industries are also risk prone, such as banking and finance as seen by their many failures circa 2008. Indeed the insurance industry centers around risk and has developed sophisticated actuarial methods for predicting the costs of risks and when they will occur.
What software needs today is a better understanding of security techniques and security economics, in terms of preventing and recovering from cyber-attacks. In other words, we should mirror insurance in the use of solid actuarial analysis of software and security risks.
Namcook’s Software Risk Master (SRM) tool is starting that shift by predicting the main forms of software risks before software projects start, when there is still time to create effective risk avoidance strategies. The top risks we predict are:
These risk predictions are variables, and the key factors that influence them include team experience, development methodologies, programming languages, effective quality control techniques before and during testing, and achieving high levels on the SEI capability maturity model integrated. For example, both formal inspections and static analysis have proven to be effective risk-reduction techniques.
Concentrating primarily on security risks, we are also concerned with security costs in two forms:
- Preventing cyber-attacks by using more sophisticated quality control during development.
- Recovering from successful cyber-attacks.
To provide a context of risk and security costs, the below table shows the top cost drivers today:
As can be seen, software security risks consume a significant portion of key software cost drivers. To be successful and reduce IT spend, it will be important to push them down to the bottom of the ranked list of cost drivers by 2026. There are existing technologies for doing this, such as deploying security inspections and using static analysis on all critical software projects. CAST’s Application Intelligence Platform measures technical vulnerabilities that put your organization at risk based on industry leading code quality standards from CISQ. Plus there are ways to participate with cyber-attack groups established by the FBI, Homeland Security, and some state and local police departments. However many companies and government groups are still careless in both software quality control and software security.
Improved knowledge of software risk and security flaws is on the critical path for making significant reductions in high-cost problems.
There are two obvious paths facing the software industry in 2016. The best path would be to achieve major software risk reductions and major reductions in cyber-attacks by means of deploying more sophisticated quality and risk control techniques during development, including analyzing the quality of application portfolios.
The more dangerous path will lead to increasing numbers of successful cyber-attacks and steadily increasing expenses associated with related software risks. This will also lead to severe erosion in customer satisfaction, especially in regards to banking applications, where thefts of funds and identities are a daily hazard. This second path assumes continued laxness in quality control and security control.
Both poor software quality and software security flaws are treatable conditions somewhat like medical conditions that can be eliminated by a combination of vaccinations and effective therapies. It is theoretically possible to reduce delivered software defects and deployed software security flaws by over 90% compared to 2016 norms. Even better, some of the effective therapies such as static analysis are also very cost effective and lower both development and maintenance costs as well as lowering cyber-attack costs.