How much does it cost to fix software vulnerabilities?

What would you change if you find out that you are more likely to experience a data breach over the next two years (a probability of 27.9%) than you are to catch the flu (5-20% probability)? And equally important, how soon would you act?

When it comes to the latter, there is no question that prevention is better than the cure. But does the same apply when it comes to code development? We argue that following a structured approach to secure software development can produce measurable benefits, e.g. a reduced overall cost of developing an application. This is not only our opinion, it is actually also the conclusion of several studies by e.g. IBM, Microsoft and NIST. Based on our experience and using the findings of other research works, we have created a simple tool to help you estimate the amount of vulnerabilities in your code and the cost of fixing them.

The Riscure Vulnerability Cost Calculator

The vulnerability cost calculator is based on many years of experience evaluating software and hardware solutions for 500+ Riscure customers around the world. We also include research findings from the reputable studies on the topic of software security. Please note that the calculator is a rough approximation of the real state of security of your code, and we assume no liability. But for dozens of projects this approximation has already proved to match the reality.

This calculator uses industry-based metrics and simple formulas to give you a rough estimation of the projected costs of solving vulnerabilities in different phases of your development life-cycle.

We determine the "security maturity" of your development team by asking three questions about your team and your secure development practices. Based on these questions we calculate a maturity score of one through four. This score helps you estimate the amount of vulnerabilities you will have per thousand lines of code and the estimated amount of person-hours it will take to patch or fix each vulnerability.

Your team Do you use security static code analysis or vulnerability scanning tools during development?

Do you regularly perform manual code review for security-related issues?

How often do your train your team on secure coding practices?

In order to automatically estimate costs, we ask you to fill in the fields below. There is no need to provide accurate numbers as the result is just a rough estimate.

We will use these values together with your estimated maturity level to determine how many vulnerabilities will statistically be in your product. For each stage of the software development life-cycle we will then determine what the total cost would be if all vulnerabilities were solved in that stage. For this, the average amount of hours required to patch a vulnerability is also determined by your estimated maturity level.

Your product


How can Riscure help you?

Riscure specializes in Development Solutions: we offer tools, services and training to help software and hardware vendors achieve better security. The journey to robust solutions typically starts with training, to raise security awareness and share hands-on secure development. If you would like to discuss how to embed security while preserving the unique specifics of your environment, get in touch with us via or by completing the form below.

What do other studies say?

According to the CVE details database, the number of reported vulnerabilities has been on the rise, with 2017 having twice as many reports as 2016 and 2018 expected to exceed this record.

The 2018 Cost of a Data Breach study, sponsored by IBM Security and independently carried out by Ponemon Institute, puts the global average cost of a data breach at $3.86 million, up by 6.4% compared to last year.

The mean time to identify a breach was 197 days. The mean time to contain a breach was 69 days. Companies that contained a breach in less than 30 days saved over $1 million compared to those that took more than 30 days to resolve it.

Data breaches are the most costly in the United States and the Middle East. Hackers and criminal insiders are the root cause for 48% of data breaches. Human error accounts for 27%.

A study on The Economic Impacts of Inadequate Infrastructure for Software Test by the National Institute for Standards and Technology (NIST) estimated that the cost of fixing a vulnerability in the early stages of a product's life cycle can be cheaper by a factor of 30. An improved software testing infrastructure allows developers to find and correct more errors sooner with less cost.

The Cost of a Data Breach study also points out that data breaches are the most costly in the United States and the Middle East.

Boost your secure development expertise with Riscure Training Academy

life cycle

If you are involved in the design, development and maintenance of software aimed at the protection of assets and you want to learn how to find vulnerabilities in an application codebase, you could follow the 2-day Secure Code Development Bootcamp training (also available online).

If you are tasked with designing, developing or maintaining a secure boot implementation and would like to learn how to recognize attacks and implement countermeasures, join the Hardening Secure Boot Workshop 1-day training. If you are looking to understand software exploitation to assess the impact of vulnerabilities or perform penetration testing, have a look at our Introduction to Software Exploitation 2-day training.

If you want to understand what vulnerabilities are introduced during compilation, you enroll in the ARM Reverse Engineering 2-day training, available on request.