Automated tools dont necessarily solve the problem. The panel noted that an automated tool or suite may not search for vulnerabilities such as SQL injection, which attempts to find or break SQL code to learn additional data through error codes. In that case, a corporation may be stuck hiring a consultant as well as pay tool costs, according to the panel of security experts, which lacked a representative from the automated security tools industry.For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. Companies rarely give consultants the time necessary to correct code before rolling it out to customers, often granting them the wee hours of a weekend morning to make the necessary corrections. In a Meta Group study, a bug discovered in the implementation phase costs 6.5 times as much as a bug found in the software design. In testing, that bug costs 15 times as much as the design bug, and a post-release fix can cost 60 times as much, measured in lost revenue and resources but excluding legal fees. Shrink-wrapped code likely costs even more, Deloitte & Touches Lam estimated. One audience member defended the developers writing the code, however. "Theyre always going to be a step behind the curve," he said. "Theyre always up against a deadline." Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.
The problem, Sima and Proctor said, is that security vulnerabilities are not treated the same as more traditional software bugs, which break features. "A bug is a bug, whether it be a feature thats not working or an unintended security flaw," Proctor said.