Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

application assessment factories

From: gem at cigital.com (Gary McGraw)
Date: Thu, 17 Jul 2008 13:31:29 -0400
hi sc-l,

One of the problems we've faced more than once in our work at Cigital is mis-use of good metrics.  A great example of a 
very useful metric that can be misused is cost per bug (or cost per defect if you are also interested in flaws).  We've 
seen CIO-level managers comparing pen testing to code review with a static analysis tool in terms of this 
metric---something that can be entirely misleading.  In order to combat that problem, we've been instantiating 
application assessment factories with our customers.

I briefly describe the concept (which was invented by John Steven) in my InformIT column this month.  Check it out:

http://www.informit.com/articles/article.aspx?p=1231818

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
Previous By Date Next
Previous By Thread Next

Current thread: