Automated tools dont necessarily solve the problem. The panel noted that an automated tool or suite may not search for vulnerabilities such as SQL injection, which attempts to find or break SQL code to learn additional data through error codes. In that case, a corporation may be stuck hiring a consultant as well as pay tool costs, according to the panel of security experts, which lacked a representative from the automated security tools industry.
The problem, Sima and Proctor said, is that security vulnerabilities are not treated the same as more traditional software bugs, which break features. "A bug is a bug, whether it be a feature thats not working or an unintended security flaw," Proctor said.
Companies rarely give consultants the time necessary to correct code before rolling it out to customers, often granting them the wee hours of a weekend morning to make the necessary corrections. In a Meta Group study, a bug discovered in the implementation phase costs 6.5 times as much as a bug found in the software design. In testing, that bug costs 15 times as much as the design bug, and a post-release fix can cost 60 times as much, measured in lost revenue and resources but excluding legal fees. Shrink-wrapped code likely costs even more, Deloitte & Touches Lam estimated.
One audience member defended the developers writing the code, however. "Theyre always going to be a step behind the curve," he said. "Theyre always up against a deadline."