This report provides guidance for those who want to make the business case for building software assurance into software products during each software development life-cycle activity. The business case defends the value of making additional efforts to ensure that software has minimal security risks when it is released and shows that those efforts are most cost-effective when they are made appropriately throughout the development life cycle. Although there is no single model that can be recommended for making the cost/benefit argument, there are promising models and methods that can be used individually and collectively for this purpose, as well as some convincing case study data that supports the value of building software assurance into newly developed software. These are described in this report.
The report includes a discussion of the following topics as they relate to the business case for software assurance: cost/benefit models, measurement, risk, prioritization, process improvement, globalization, organizational development, and case studies. These topics were selected based on earlier studies and collaborative efforts, as well as the workshop "Making the Business Case for Software Assurance," which was held at Carnegie Mellon University in September 2008.