While various research suggest that software bugs are ~5-10x less expensive to fix during the SDLC than waiting till production, this financial analysis should NOT be used as justifiction to find-fix vulnerabilities earlier. /1

Let's assume fixing the average [website] vuln (SQLi, XSS, etc) requires ~40 man-hours to prioritize developer time, create a patch, QA/regression test, and finally push to production. At $100hr, the cost to fix each vuln in prod is $4,000. /2

The average website may have around ~20 individual vulns reported annually. Therefor the total cost to fix ALL these vulns, at the most expensive stage (Prod), is $80,000 ($4,000 x 20) / 3

Alternatively, let's say the business invests in whatever SDLC tools and processes are necessary to ensure those vulns never make it to production in the first place. Will that investment cost more or less than $80,000? /4

It'll likely cost more in tooling to proactively prevent vulns in Prod, but it’s also the wrong answer because it's the wrong question. An Eng manager, of any reasonably sized team, will not be attracted by ANY idea that only saves $80,000 (less than the cost of 1-FTE). /5

Of course the financial loss of a breach far exceeds the cost the security tooling in the SDLC. Risk reduction is why we should recommend doing so, and not because bugs/vuln are X-times cheaper to fix earlier. /6