[SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading
Kenneth Van Wyk
ken at krvw.com
Fri Nov 30 10:15:32 EST 2007
On Nov 29, 2007, at 6:35 PM, Leichter, Jerry wrote:
> So he's not completely naive, though the history of security metrics
> standards - which tend to produce code that satisfies the standards
> without being any more secure - should certainly give on pause.
> One could, I suppose, give rebates based on actual field experience:
> Look at the number of security problems reported per year over a two-
> year period and give rebates to sellers who have low rates.
Right, so this is where I believe the entire idea would fall apart. I
don't think we have adequate metrics today to measure products
fairly. Basing the tax on field experience would also be problematic
to measure well, although I could see this leading to development
organizations getting some sort of actuarial score.
But the real problem with it, as I said, is metrics. Should it be
based on (say) defect density per thousand lines of code as reported
by (say) 3 independent static code analyzers? What about design
weaknesses that go blissfully unnoticed by code scanners? (At least
the field experience concept could begin to address these over time,
I do think that software developers who produce bad (security) code
should be penalized, but at least for now, I still think the best way
of doing this is market pressure. I don't think we're ready for more,
on the whole, FWIW. But _consumers_ wield more power than they
probably realize in most cases.
Kenneth R. van Wyk
KRvW Associates, LLC
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2500 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20071130/b758e754/attachment.bin
More information about the SC-L