Secure Coding mailing list archives
Re: Fwd from CIO Update: Why is application security so elusive?
From: Gunnar Peterson <gunnar () arctecgroup net>
Date: Sun, 18 Sep 2005 21:03:31 +0100
CIO Asia has a column on "A Few Good Metrics" http://cio-asia.com/ShowPage.aspx? pagetype=2&articleid=2560&pubid=5&issueid=63 The article talks about using metrics to quantify risks and control effectiveness. "There's no denying that proven economic principles canâand shouldâbe applied to information security investments. At the same time, a bumper crop of valuable metrics exist that don't require classes on Nobel Prize-winning theories or a working knowledge of the Greek alphabet. You've actually already sowed the seeds of these less dense but equally valuable metrics. They're sitting in your log files, on your network, in the brains of your business unit managers, just waiting to be harvested. You won't need computational prowess to exploit this crop's value, just some legwork andâthis is keyâthe most effective presentation tools" ... "Jaquith has sharp, sometimes contrarian opinions on what makes a good metric and what makes for good presentation of metrics. For example, he thinks annual loss expectancy (ALE), a tool used to measure potential losses against probability of losses occurring over time, is useless, because in infosecurity, the L and the E in ALE are wild guesses. Quoting Geer, he says, "The numbers are too poor even to lie with." -gp On Sep 18, 2005, at 10:17 AM, Kenneth R. van Wyk wrote: FYI, there's a column in CIO Update by Ed Adams exploring some of the reasons why secure software is so hard to find. Unlikely to be anything new to SC-L readers, but it could be worth a quick read in any case. In particular, his recommendations (to his presumably mostly CIO audience) are quite different than what you might expect to find, say, here on SC-L. In any case, you can find the article at: http://www.cioupdate.com/trends/article.php/ 3548306 (Full disclosure: CIO Update is run by Jupiter Media, who also owns the site (eSecurityPlanet.com) where I'm a monthly columnist.) Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
Current thread:
- Fwd from CIO Update: Why is application security so elusive? Kenneth R. van Wyk (Sep 18)
- Re: Fwd from CIO Update: Why is application security so elusive? Gunnar Peterson (Sep 18)