The Real Cost of Patching Vulnerabilities

February 5, 2024

As per IBM, the global average cost of a data breach in 2023 was USD 4.45 million - a number that has grown by 15% over the last 3 years. And as alarming as this number is, it poses another question - what is the cost of patching vulnerabilities to prevent a breach? The short answer is about USD 700k per year for the average team of 100 developers. The long answer is below.

The Premise

The cost of patching vulnerabilities is a critical yet under discussed component of cybersecurity. Security teams excel at building gates and checkpoints around their organization’s infrastructure and processes, but often limit themselves to finding ‘vulnerabilities’ that get pushed back to engineering teams for remediation. ‘Patching’ is seen as a primarily development and operations task by security teams, even though in the security lifecycle it is the task with the largest impact when it comes to improving security posture.

In this post, we will try and calculate the annual cost associated with patching vulnerabilities at the code-level for a team of 100 software developers, each of which write about 100 lines of code (LoC) per day. On average, the rate of software vulnerabilities is about 4 per 1000 LoC. We will assume that the team has a simple DevSecOps pipeline in place with a source-code scanner (SAST like SonarQube, Checkmarx, etc), the findings of which must be remediated as per a typical security service level agreement (SLA).

Cost Calculations

There are 3 main categories of costs associated with patching vulnerabilities in code - triage, development and validation.

Triage

Although there is a general consensus within organizations on who owns different security tools, there is no single recognized and established process for patching vulnerabilities. The staggeringly high false positive rate (35 - 50%) of results from vulnerability scanners often mean that someone needs to review the vulnerabilities to determine if these are false positives or actual exploitable vulnerabilities - a process know as ‘Triage’. 

The first round of triage is typically done by development teams - where they add to their development backlog the vulnerabilities that they find are relevant and important, and push back on the rest. Engineering and security standards, as well as internal SLAs, define the boundaries of this review.

Going by our assumptions above, the team of 100 developers will generate about 900 vulnerabilities per month. This would correspond to about 1,500 findings (due to false-positive rates) in the scanners. Assuming it takes 5 minutes to review a finding, we can estimate 125 developer-hours per month, or 1,500 hours per year will be spent on triage alone. That is 1,500 hours of lost productivity from validating vulnerabilities that could have instead been channeled into creating new features and functionalities for the product. 

Development

Once vulnerabilities have been identified and confirmed through triage, the next step is to actually patch these issues. This is where the bulk of the cost comes into play. Given our scenario, with 900 true vulnerabilities identified let us assume our hypothetical team chooses to fix critical and high severity vulnerabilities only, which cuts the number in half to 450.

The average time to fix a vulnerability can vary significantly based on its complexity, the affected system's architecture, and the skill level of the developers. However, for the sake of calculation, let's assume an average of 2 hours per vulnerability. This includes the time to understand the vulnerability, develop a fix, and perform initial testing before it moves on to validation. This translates to 900 developer-hours per month, or about 10,800 hours per year.

Validation

The final step in the vulnerability management lifecycle is validation. Validation ensures that the patches have been applied correctly and that they do not introduce new vulnerabilities or break existing functionalities. This phase often involves automated regression testing, manual testing, and sometimes, third-party security assessments or penetration testing to validate the fixes. 

Let's estimate that validation takes about 1 hour per vulnerability, which is half the time estimated for development, given that some of the testing can be automated. This results in 450 developer-hours per month, or about 5,400 hours annually for our scenario. 

Summary of Costs

Adding up all the above, we get:

  • Triage: 1,500 hours per year
  • Development: 10,800 hours per year
  • Validation: 5,400 hours per year
  • Total: 17,700 hours per year

Considering the average salary for a software developer, which can widely vary based on location, expertise, and other factors, we will use a generalized average annual salary of USD 100,000 for our calculations. This gives us an hourly rate of ~USD 40, which means the direct labor cost of development for patching vulnerabilities for our team is USD 708,000 annually, excluding the overheads related to benefits, equipment, and other indirect costs. This calculation also does not include non-financial factors such as opportunity costs, business interruptions and downtime, as well as compliance and reputational risks. It also does not include the ‘time cost’ - organizations take as much as 205 days on average to fix critical vulnerabilities.

The Real Solution

The real cost of patching vulnerabilities, is not just a significant financial investment but also a substantial allocation of developer resources that could otherwise contribute to new value-adding features and functionalities. But it doesn’t need to be that way.

Automated solutions like Patched can significantly reduce the time and effort required for remediating vulnerabilities throughout the software lifecycle. By automating the triage, patch generation, and validation steps, companies can save as much as 90% of these costs while simultaneously improving their security posture, and allowing developers to focus on what they do best - building great products. 

To learn more about how Patched can support your cybersecurity needs, schedule a call with us or better yet - try us for free.

Stop Scanning. Start Patching.
Patched increases your security coverage, not your workload.
Get Patched