Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

[ken at krvw.com (Kenneth Van Wyk)]

On Nov 29, 2007, at 6:35 PM, Leichter, Jerry wrote:
> So he's not completely naive, though the history of security metrics  
> and
> standards - which tend to produce code that satisfies the standards
> without being any more secure - should certainly give on pause.
>
> One could, I suppose, give rebates based on actual field experience:
> Look at the number of security problems reported per year over a two-
> year period and give rebates to sellers who have low rates.


Right, so this is where I believe the entire idea would fall apart.  I  
don't think we have adequate metrics today to measure products  
fairly.  Basing the tax on field experience would also be problematic  
to measure well, although I could see this leading to development  
organizations getting some sort of actuarial score.

But the real problem with it, as I said, is metrics.  Should it be  
based on (say) defect density per thousand lines of code as reported  
by (say) 3 independent static code analyzers?  What about design  
weaknesses that go blissfully unnoticed by code scanners?  (At least  
the field experience concept could begin to address these over time,  
perhaps.)

I do think that software developers who produce bad (security) code  
should be penalized, but at least for now, I still think the best way  
of doing this is market pressure.  I don't think we're ready for more,  
on the whole, FWIW.  But _consumers_ wield more power than they  
probably realize in most cases.

Cheers,

Ken

-----
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2500 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20071130/b758e754/attachment.bin