The Cost of Fixing Vulnerabilities vs. Antivirus Software

Corporations and consumers will collectively spend $8 billion this year on desktop security software, better known as antivirus software. This is a lot of money, and more is spent each and every year while the problem of computer viruses only worsens. I often wonder how this money could be more effectively spent, such as on activities that would significantly reduce the means by which viruses propagate.

Computer viruses predominantly spread in two ways, Web and Email:

  1. A Web browser visits a website that automatically serves up a software exploit, or the website asks the visitor to voluntarily download and install a virus-laced application.
  2. An email is received that automatically launches a software exploit, or the email recipient is asked to voluntarily download and install a virus-laced attachment.

It is the first instance that I’d like to focus on. The vast majority of websites that serve up viruses are ‘legitimate’ websites, they’ve just been hacked. An attacker exploits a SQL Injection vulnerability in a target website and uses it to insert a virus, or links pointing to a virus, whereby a visiting Web browser is compromised. It would stand to reason that if these SQL Injection vulnerabilities didn’t exist to begin with, viruses could not propagate this way.

Let’s say we take the top five hundred thousand of the most trafficked and “important” websites. Statistics at WhiteHat Security say that about 11% of websites, or 55,000 in our target set, have at least 1 SQL Injection vulnerability. We should also assume that if there is 1 SQL Injection in a given website, then there is really 10. This gives us a total of 550,000 SQL Injection vulnerabilities in circulation. Finally, let’s estimate that each SQL Injection vulnerability will require 40 developer hours x $100 per hour to fix, or about $4,000 total in labor costs.

When all the math is combined (550,000 x $4,000) we get a total of $2.2 billion to fix our SQL Injection issues that are responsible for a significant chunk of our computer virus woes — or about 1/4 of what is spent on antivirus software. Contrast this that the corporations spend less than $500 million each year on application security, even when you combine vulnerability scanning, Web application firewalls, source code reviews, developments training, etc.

Here’s another added benefit of fixing the vulnerability over the purchase of antivirus software. When a vulnerability like SQL Injection is fixed (properly), you don’t have to spend that money next year to fix it again. With antivirus software, you must pay the costs each and every year for the foreseeable future with little to no benefit carried forward.

I also often wonder what it will take to influence a shift information security spending habits from one of tradition to efficacy.