Your number one priority in building a new application? Getting it into the hands of potential customers as fast as possible. Understood, but what are the risks of this practice? Your Application Security (AppSec) is an afterthought, and the risk exposure of your company is unknown. Now, I am not here to judge this approach, but rather applaud you to want to address the issue. This article provides you with a method to determine how much time (=$$) is needed to address potential vulnerabilities in your application.
To get a sense of the security posture of the application, one of the first things you could do is a Static Application Security Test (SAST) of the source code. But how do you plan for this? How much time should you set aside for the remediation of the issues found by the SAST tool?
For clarity: an issue does not necessarily mean it is a vulnerability. To get a handle on the number of issues vs vulnerabilities, I would like to refer to a research paper from the Dakota State University. The paper discusses the number of vulnerabilities per 1000 lines of code (KLOC) depending on the Capability Maturity Model (CMM) level of a software development organization. For the sake of this article, let’s assume the CMM level of your software development organization is at its highest level (5). According to the aforementioned paper, this results in 1 vulnerability per KLOC. I will use these results later in my article.
Let’s have a look at what’s involved in addressing the SAST results.
When an issue is reported by the SAST tool, an auditor executes the following activities:
When the issue is a vulnerability, the developer, to whom the ticket was assigned, has to execute the following activities:
As you can see addressing the results of a SAST scan requires time, general AppSec knowledge, and knowledge of the application itself. Let’s narrow this down.
The SAST results are reported in four different categories Critical, High, Medium, and Low. Based on my extensive experience working with SAST tools:
According to the CVE Details, of all vulnerabilities, about 10% are Critical (a score of 9-10) According to the CVE Details, of all vulnerabilities, about 20% are High (a score of 7-8.9) Based on my experience, it takes at least four (4) hours to address (auditor + developer) a Critical vulnerability and at least two (2) hours to address a High vulnerability.
Critical and High vulnerabilities are the easiest to discover and exploit, hence per the safe computing initiative from MIT, these should be addressed first.
Now assume one FTE effectively works six hours per day.
Based on these numbers, we can use the following formula to calculate the number of weeks it takes for one FTE to address the initial scan results of your SAST scan:
# of weeks to remediate = # of weeks to remediate Critical + # of weeks to remediate High
# of weeks to remediate Critical = Total LOC / 1000 * 10% * 4 hours to address / 6 hours per day / 5 days per week
# of weeks to remediate High = Total LOC / 1000 * 20% * 2 hours to address / 6 hours per day / 5 days per week
Let us look at an example where the codebase of the application is 1.5 MLOC; this is not counting comments or blank lines.
# of weeks to remediate Critical = 1,500,000 / 1000 * 0.1 * 4 / 6 / 5 => 20 # of weeks to remediate High = 1,500,000 / 1000 * 0.2 * 2 / 6 / 5 => 20
# of weeks to remediate = 20 + 20 => 40
Notes:
Are you considering an AppSec Program, including running an initial SAST (baseline) scan, with remediation? Let’s chat about how working with me can reduce time, money, and ultimately your risk exposure. See my contact details below.
Percy Rotteveel - Cell: (650) 421-3631 - eMail percy@rotteveel.ca
Article: https://www.linkedin.com/pulse/price-sast-afterthought-percy-rotteveel