If a Web Developer doesn’t release a revenue generating feature on time, the business will FOR A FACT lose money. If a Web Developer doesn’t fix a vulnerability, it MAY be exploited, and MAY cost the business money. Neither is guaranteed. Since Web Developer resources are scarce, how should the business decide the right course action from a justifiable risk-management perspective?
This Web Developer resource trade-off is extremely difficult to quantify and why I believe website vulnerability remediation rates are only at 63% taking an average of 38 days to fix.
If the Application Security industry wants the business to listen to our guidance, we must answer this fundamental question. Until such time, application security comes in a pizza box.