Secure Coding mailing list archives
application assessment factories
From: gem at cigital.com (Gary McGraw)
Date: Thu, 17 Jul 2008 13:31:29 -0400
hi sc-l, One of the problems we've faced more than once in our work at Cigital is mis-use of good metrics. A great example of a very useful metric that can be misused is cost per bug (or cost per defect if you are also interested in flaws). We've seen CIO-level managers comparing pen testing to code review with a static analysis tool in terms of this metric---something that can be entirely misleading. In order to combat that problem, we've been instantiating application assessment factories with our customers. I briefly describe the concept (which was invented by John Steven) in my InformIT column this month. Check it out: http://www.informit.com/articles/article.aspx?p=1231818 gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com
Current thread:
- application assessment factories Gary McGraw (Jul 17)
- Interesting academic job announcement Goertzel, Karen [USA] (Aug 06)