The days before zero day: investment models for secure software engineering

While the majority of security practice — and spending — is focused on post-development products and enterprise approaches, some have sought to change the focus of security from the networks we manage to the systems we build. The burgeoning Secure Software Engineering (SSE) community has sought to identify and espouse activities, built upon traditional software engineering, that address the introduction of vulnerabilities as a means of stemming the growing tide of security problems before they can be realised. It is widely believed that not only do such approaches hold promise to limit exposure and reduce security incidents, but they are also a valid security investment that decreases overall security expenditure. While many initiatives are now underway to codify such SSE practices, a treatment of the economic considerations has yet to be conducted. We propose an initial model that captures SSE investment as a means of reducing defender uncertainty regarding vulnerabilities, while raising the cost to the attacker. This approach is instantiated as a companion process to traditional security models, and we use the Iterated Weakest Link (IWL) model of (post-deployment) security investment to demonstrate how defender security investment can be optimised over the system’s lifecycle. The results indicate both an increased return on security investment — the Return on Secure Software Process (ROSSP) — as well as reduced post-deployment costs. It is our hope that this model paves the way for a more comprehensive treatment of security investment that unifies pre- and post-security investment, leading to a more comprehensive view of security in software systems.