Is Software Security a Waste of Money?
I worry that comments about the value of software security made at the RSA Conference last week will be taken out of context. John Viega did not say that software security wasn’t important. He said:
For large software companies or major corporations such as banks or health care firms with large custom software bases, investing in software security can prove to be valuable and provide a measurable return on investment, but that’s probably not the case for smaller enterprises, said John Viega, executive vice president of products, strategy and services at SilverSky and an authority on software security. Viega, who formerly worked on product security at McAfee and as a consultant at Cigital, said that when he was at McAfee he could not find a return on investment for software security.
I agree with that. For small companies, it’s not worth worrying much about software security. But for large software companies, it’s vital.