Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

BSIMM: Confessions of a Software Security Alchemist (informIT)

From: Stephan.Neuhaus at disi.unitn.it (Stephan Neuhaus)
Date: Thu, 19 Mar 2009 16:53:00 +0100
Hi Gary,

On Mar 19, 2009, at 16:27, Gary McGraw wrote:


Hi Stephan,

In my view, it would be even better to study the difference in  
external bug emphasis (as driven by full disclosure and the CVE) and  
internal bug emphasis (as driven by an organization's own top N list).


That is a brilliant idea, but how do I get "internal bug emphasis"?   
The companies in question won't hand over their data just like that.   
Perhaps a little prodding from someone who is well known and trusted  
could help here, Mr McGraw, Sir. :-)  (Actually, I might get at  
Microsoft data, if I can make the right pitch.)


To put a slightly finer point on it, I wonder whether the "scatter"  
you can observe outside of the black box looks completely different  
than the in-the-box view.  In this case, an organizations codebase  
and dev shop is "the box" and the external bug reports are outside.   
I have a feeling that is it.


Oh that's a very interesting question.  As I said, it's a brilliant  
idea, and I'd love to see this carried out.


Trento has a special place in my heart as I lived there from  
8/93-8/94 and worked at IRST.


That is very cool!  Also, you are lucky that you worked at IRST then,  
because the CS department is constructing a new building that will  
completely ruin the view across the valley from IRST.  I don't think  
they like us much over there :-)


Say hi to Cognola for me.


Will do, even though I live in Povo myself.[1]

Fun,

Stephan

[1] I was told by one of the professors that before the University  
came here, Povo was the place "where the weird mountain people live".  
That would hold double for the people who live across the Fersina, for  
example in Cognola :-)
Previous By Date Next
Previous By Thread Next

Current thread: