How Much Time Does It Take To Create A Security Software Solution?
The steady increase in cyber-attacks will likely be a long-term trend, and businesses are looking for robust cybersecurity solutions. It’s a growing market out there for cybersecurity software, and many entrepreneurs are trying to tap into it. If you are such an entrepreneur, you are likely wondering about the time it takes to create a security software. Read on, since that’s exactly what I explain here.
The growing demand for enterprise security software
Businesses incur huge costs as a result of cyber-attacks. Data security breaches cost businesses a whopping $3.86 million per annum, according to an analysis found in “The average cost of a data breach is highest in the U.S. [Infographic]”.
A study by IBM shows that it takes 365 days on an average to identify a data breach and contain its effects, if the breach is a result of a cyber-attack. Symantec has stated in its “2019 Internet security threat report” that cyber-attackers steal users’ credit card details from approximately 4,800 websites every month by only injecting malicious codes.
These threats compel enterprises to invest heavily in cybersecurity. The term covers aspects like network security, application security, information security, disaster recovery, business continuity planning, and end-user training.
The demand for cyber security solutions for enterprises have the following drivers:
- Exponential growth of data;
- Proliferation of organized cyber-attack gangs;
- The ease of launching cyber-attacks;
- Increasingly sophisticated forms of attacks;
- Growth of high-potential technologies with vulnerability, like cloud computing, “Internet of Things” (IoT), etc.
I have explained these drivers in “Why enterprises must invest more in cyber security solutions”.
As you would expect, the market for cybersecurity solutions is growing. PRNewswire projects this market to reach $300 billion in 2024, from a modest $120 billion in 2017.
How long does a security software development project take?
Let’s take a step back before we talk about how long does a security software development project takes, and let’s agree on the right methodology. An enterprise security software is a high-value asset for the enterprise.
A project to develop such a software has specific, well-defined requirements. Such projects need regular reviews after each phase, and the traditional “Waterfall” methodology suits such projects. You can read “Waterfall vs Agile: Which methodology is right for your project” for more insights.
I will now take you through the various phases of this project, describing how much time each phase needs. These phases are as follows:
- Requirements gathering and analysis;
Read about these phases in “What is software development life cycle and what you plan for?”.
The time estimate in this article assumes the following:
- Project sponsors and business stakeholders are fully aligned with the project plan, and they have committed to the success of the project. You can read “What is a project sponsor?” to learn about the importance of this.
- You have a skilled and experienced team in place. If you don’t have this in place, you need to form a team, and our guide “Freelance app development team vs. field expert software development teams” can help. The team needs the following roles:
- Business analysts;
- UI designers;
- A security software architect;
- Security software developers;
- A project manager (PM).
- The security software architect and developers have the necessary skills, e.g.:
- Software architecture (for the security software architect);
- Operating systems like Windows, Unix, and Linux;
- Programming languages like Java, C, C++, PERL, etc.;
- Relational databases like MySQL;
- IP security;
- XML, web services;
- Cloud computing;
- Hypervisors, e.g., VMware.
- The PM is competent enough to manage this project effectively, and he/she will use the relevant PM best practices and tools. You can read “15 killer project management best practices for managers” for more insights.
- Team members are co-located, and they have sufficient access to the project stakeholders.
- The project team members are available to work on the project according to the resource-loading plan for the project.
- You have the required IT infrastructure in place. If you don’t have this, you can buy it from an “Infrastructure as a Service” (IaaS) provider. I recommend AWS Elastic Compute Cloud (EC2), given the excellent cloud capabilities of AWS.
- The time estimate includes post-deployment support and warranty support sub-phases of the maintenance phase, however, it doesn’t include the estimate for the long-term ongoing maintenance.
1. Requirements analysis phase
This is the most important phase in projects that use the Waterfall methodology, and you must allocate sufficient time for this. You need to decide the features you will offer. An enterprise security software suite may have the following features:
- It should automatically update the system to meet new cybersecurity threats.
- The enterprise security software should scan the IT system in real-time.
- It should automatically clean-up viruses without any user intervention.
- The software should provide protection for multiple apps and services.
- An enterprise security software should provide application-level security.
- The software must provide an admin dashboard with role-based menu options.
- Businesses often need row-level security for their sensitive data, and the security software needs to provide this.
- “Single Sign On” (SSO) is an important feature.
- The security software must enable the management of user privileges.
- An enterprise security software needs to provide for application activity auditing.
You can read “What is IT security software? Analysis of features, benefits and pricing” for a deeper understanding of these features.
The requirements should also clearly state which types of security software you will offer in your enterprise security solution. Enterprise security solutions typically have the following types of software:
- Computer anti-virus;
- Anti-spyware software;
- Network security;
- Password managers;
- Data encryption tools;
- Log management software;
- Bot mitigation tools;
- Monitoring tools;
- Intrusion prevention software.
You can read more about these types in “10 types of security software your business website absolutely needs”. The project team needs to clearly identify which types are to be included in the proposed enterprise security solution.
The PM needs to ensure that the team follows the software requirements management processes, e.g.:
- Involving the business stakeholders in the requirements analysis phase;
- Identifying requirements, and tracking them using relevant traceability matrices;
- Establishing a requirements change management process;
- Baselining of the requirements.
Read more about this in “Requirements management process in software engineering”. BAs produce a document named “Software Requirement Specification” (SRS) in this phase. A robust requirements management tool like IBM Rational DOORS Next Generation can help the team.
I recommend that you allocate 1 month for this phase.
2. Design phase
In the design phase, the architect should involve appropriate stakeholders and focus on the following:
- The architect takes the requirements as inputs and designs the system components at a high-level.
- Planning the interaction between the various system components takes place during this phase.
- The architect also takes the relevant architecture decisions, and decides on a software architecture pattern, as follows:
- An enterprise security software will likely have a fixed set of core tasks, and it is bound to be a high-usage set of tools.
- You can consider using the Microkernel architecture pattern, which is suitable for this kind of software. More information about this pattern is available in “Large enterprise Java projects architecture”.
- The architect then makes the decision about the technology stack.
- Subsequently, the PM works with the architect to identify the project risks and constraints.
- As the next step, the architect leads the team to prepare a detailed design document, which is granular. This is a component/module-level design document, called the “Design Specification Document” (DSD).
You can read “Software development life cycle – SDLC phases” for more information. The PM uses the outputs of the 1st and 2nd phases to prepare a detailed project plan including schedule, and I recommend that you allocate 2-3 months for this crucial phase.
The duration of this phase depends on the number of features, and the various types of security software you plan to offer in this enterprise security solution. “Hierarchical Input Process Output” (HIPO) and “Data Flow Diagram” (DFD) are some of the tools you can use in this phase, and you can learn more in “Software analysis & design tools”.
3. Development phase
In this phase, developers use the design document as the input, and code the modules. Programmers might use some aids for this, e.g.:
Hire expert developers for your next project
1,200 top developers
us over the last 3 years
- They could use “Integrated Development Environments” (IDEs) like Eclipse or IntelliJ IDEA.
- Depending on the requirements, developers might use a security software development platform like IONIC SECURITY. This platform offers several features, e.g., key management, dynamic data management, adding application-level security, enforcement of privacy policies, and analytics.
- Programmers often use code review guidelines and checklists.
You can read more about this phase in “SDLC (software development life cycle) tutorial: What is, phases, model”. Source code is the output of this phase.
I recommend 4-6 months for this phase, and the complexity of your proposed security software influences the time required.
4. Testing phase
When you create a security software, the testing phase is crucial. An enterprise security software solution is a high-stakes product, therefore, a thorough and systematic testing is important. This phase might include the following functional testing:
- Unit testing;
- Integration testing;
- System testing;
- Sanity testing;
- Smoke testing;
- Interface testing;
- Regression testing;
- Beta/Acceptance testing.
The security software will be used in an enterprise context, therefore, the following non-functional testing are important:
- Performance testing;
- Load testing;
- Stress testing;
- Volume testing;
- Recovery testing;
- Reliability testing;
- Usability testing;
- Compliance testing.
You can read about the various kinds of testing in “Types of software testing: Different testing types with details”.
The business stakeholders need to participate actively, and the project sponsor should work closely with the PM to ensure this. I recommend that you reserve 3-4 months for this phase.
5. Deployment phase
This phase involves some processes that you can carry out while the preceding phases are in progress, and there are processes that must follow the testing phase. Let’s first discuss the processes you can execute while the other phases are in progress, and these are as follows:
- Implement a deployment process: This involves setting up reviews where you get the green signal for deployment, and building an implementation checklist.
- Establish the deployment environment: This includes the deployment scripts, automation tools, “Continuous Integration” (CI) environment, and “Continuous Delivery” (CD) environment.
You can read about this in “Software deployment”. Setting up robust software deployment processes and environment can take 3-4 months. However, you can reuse these software assets later.
I will now explain the processes that must follow the completion of testing, and these are as follows:
- Creating a deployment plan and a back-out plan;
- Reviewing deployment readiness;
- Obtaining appropriate approval for the deployment plan, schedule, and back-out plan;
- Executing the deployment processes.
I recommend that you allocate 1 week for this since the reviews and approvals can take some time.
6. Maintenance phase
This phase typically includes post-deployment support, warranty support, and long-term ongoing maintenance. Enterprises often set up separate contracts with service providers for ongoing maintenance, therefore, here I talk about the post-deployment and warranty support only.
You need to retain a sufficient number of experienced developers from the development phase into this phase. The team can expect a high workload during post-deployment and warranty support, and a thorough knowledge of the system is key.
You can read about the maintenance phase in “The SDLC: 7 phases, popular models, benefits & more ”. Warranty periods can often be for one quarter.
Planning a project to create a security software?
Depending on the complexity of the proposed enterprise security solution, a security software development project can take 16-21 months. Such projects can be complex. Finding a PM experienced in leading such a project can be hard, moreover, hiring security software architects and developers can have a significant lead time.
You might need to take professional help for such projects. Consider engaging a reputed software development company, and look for one that can take end-to-end responsibility for delivering the project successfully.
Finding such a development partners requires a good deal of due diligence, since this is a high-stakes project. Our guide “How to find the best software development company?” can help you to find such a development partner.