How much should you spend on security in the development process? I have googled this question to death and keep getting the same answers:
- Security should be built into the software development cycle
- You need to devote sufficient resources to security
- You need to make sure to consider security at the design phase
Great...and that means 5%? 10%? 20%? Or is it impossible to measure?
I started the OWASP Security Spending Benchmarks Project with Jeremiah Grossman (CTO at WhiteHat Security) to start getting some data on this topic. For industry A dealing with data B, we as information security professionals should be able to come up with a range of how much money should be spent on security.
Jeremiah has done a great job outlining the reasons people spend on security. But budgets are tight and there aren't any bailouts for software companies (yet). If companies can get away with spending less than necessary on software security they will. The only way to change that will be through industry benchmarks. Please get in touch if you want to get information on how to participate in the OWASP survey!