Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fwd from CIO Update: Why is application security so elusive?

From: Gunnar Peterson <gunnar () arctecgroup net>
Date: Sun, 18 Sep 2005 21:03:31 +0100

CIO Asia has a column on "A Few Good Metrics"
http://cio-asia.com/ShowPage.aspx? 
pagetype=2&articleid=2560&pubid=5&issueid=63


The article talks about using metrics to quantify risks and control  
effectiveness.


"There's no denying that proven economic principles can—and should—be  
applied to information security investments. At the same time, a  
bumper crop of valuable metrics exist that don't require classes on  
Nobel Prize-winning theories or a working knowledge of the Greek  
alphabet. You've actually already sowed the seeds of these less dense  
but equally valuable metrics. They're sitting in your log files, on  
your network, in the brains of your business unit managers, just  
waiting to be harvested. You won't need computational prowess to  
exploit this crop's value, just some legwork and—this is key—the most  
effective presentation tools"

...
"Jaquith has sharp, sometimes contrarian opinions on what makes a  
good metric and what makes for good presentation of metrics. For  
example, he thinks annual loss expectancy (ALE), a tool used to  
measure potential losses against probability of losses occurring over  
time, is useless, because in infosecurity, the L and the E in ALE are  
wild guesses. Quoting Geer, he says, "The numbers are too poor even  
to lie with."


-gp

On Sep 18, 2005, at 10:17 AM, Kenneth R. van Wyk wrote:

FYI, there's a column in CIO Update by Ed Adams exploring some of  
the reasons
why secure software is so hard to find.  Unlikely to be anything  
new to SC-L
readers, but it could be worth a quick read in any case.  In  
particular, his
recommendations (to his presumably mostly CIO audience) are quite  
different
than what you might expect to find, say, here on SC-L.  In any  
case, you can
find the article at: http://www.cioupdate.com/trends/article.php/ 
3548306


(Full disclosure: CIO Update is run by Jupiter Media, who also owns  
the site

(eSecurityPlanet.com) where I'm a monthly columnist.)

Cheers,

Ken van Wyk
--
KRvW Associates, LLC
http://www.KRvW.com
Previous By Date Next
Previous By Thread Next

Current thread: