SEARCH RESULTS
 
Showing 1-10 of 19 records
 
Expand article

Software Security Metrics and Commentary on "Metrics Framework" Paper

2007-09-17 20:41:00 by Security Retentive in Security Retentive
 
...Metrics Framework to Drive Application Security Improvement " recently and some thoughts started to gel about what types of web application security metrics are meaningful This is going to be part-1 of 2 about the paper and software security metrics. In this first installment I comment on the metrics from the paper and provide what I believe...
 
Tags: metrics, software security metrics, metrics framework, metrics miss, design-time metric, design, upstream sdl metrics, application, web application security
 
 
 
 
Expand article

Oh No! Security Metrics!

2008-04-18 12:43:00 by sdl in The Security Development Lifecycle
 
...metric we have These comments are very important because there appears to be no more widely accepted security metric today, and while no perfect metrics exist, it's useful to have some objective data when trying to discuss this complex subject. Our customers constantly tell us to reduce the number of patches they need to apply to their...
 
Tags: bugs, implementation bugs, fewer security bugs, fewer, security bugs include, security, metrics, security metrics, security bugs
 
 
 
 
Expand article

Software Security Metrics and Commentary - Part 2

2007-10-23 20:31:00 by Security Retentive in Security Retentive
 
...metrics from the paper " A Metrics Framework to Drive Application Security Improvement In part-2 of this piece I'll try to cover the remaining 5 metrics as well as discuss a few thoughts on translating survivability/Quality-of-Protection into upstream SDL metrics First, onto the other five metrics from the paper Injection Flaws Again, I...
 
Tags: security metrics, software security metrics, metrics, software, metrics framework, metric, upstream sdl metrics, concrete metric, paper steve bellovin
 
 
 
 
Expand article

Metrics and Audience

2008-04-19 09:52:00 by Security Retentive in Security Retentive
 
...metrics. I chimed in on Pete's blog as well as on the Microsoft SDL blog , here is a little more The fundamental confusion here is about the audience for the vulnerability numbers, and metrics in general There are several audiences here Microsoft's customers, competitors, and the public at large Security folks, especially software security...
 
Tags: software, software metric, software security folks, security folks, software security initiatives, security, measure software security, measure, metrics
 
 
 
 
Expand article

How Secure is Secure?

2008-05-08 16:46:00 by sdl in The Security Development Lifecycle
 
...metrics , trying to objectively quantify and measure How secure is secure is far more difficult than one might think. Id like to share my perspective that there are two dimensions useful to consider when characterizing software security metrics: security functional requirements and security engineering quality requirements . While the SDL is...
 
Tags: security metrics, software security metrics, implementation vulnerabilities, potential implementation vulnerabilities, metrics, secure, software, discretionary security protection, security protection
 
 
 
 
Expand article

Reputation Damage & Measurement

2008-08-22 14:33:56 by Alex in RiskAnalys.is
 
...metrics for the measurements, as well. Damage to things like corporate reputation and goodwill and brand equity can be difficult to wrap even reasonable dollar estimates around (When I use FAIR, I really only care to use one metric when describing loss magnitudes - the almighty currency Complicating factors is the impact (or lack thereof) of...
 
Tags: stock, helphire stock, reputation damage, reputation, stock price, damage, email, email account, malicious email
 
 
 
 
Expand article

Hansei and the CISO

The Article has images
2008-09-16 17:47:47 by Alex in RiskAnalys.is
...metric (or set of metrics) that answers these questions, we might call it something like My Ability To Manage Risk or MATMR for short GETTING TO A STATE OF WISDOM Whats then missing is how you create a State of Wisdom around the State of Knowledge developed - your MATMR metric. That is, given the current State of Knowledge - how can I be most...
 
Tags: risk management requires, risk management, risk, hansei, risk register, program, manage risk, manage, adrians program diagram
 
 
 
 
Expand article

Larry Sutos Paper Drama

2008-01-02 14:53:30 by RSnake in ha.ckers.org web application security lab
 
...metric you probably should Anyway, enough drama already! Id suggest, for those of you who worry about alien abduction, if you have a problem with me, email me already, and Ill try to quench the voices in your head. Lastly and most importantly, happy new years to those using the Gregorian calendaring system
 
Tags: paper, larry sutos paper, scanners, commercial scanners, test environment, environment, test, time, people
 
 
 
 
Expand article

The First Step on the Road to More Secure Software is admitting you have a Problem

2008-02-21 14:26:00 by sdl in The Security Development Lifecycle
 
...metric we have When Bill Gates released his Trustworthy Computing Memo in 2002, many people thought it was just a marketing stunt . It was not a marketing stunt: BillG edicts are always taken very seriously inside Microsoft. In fact, I will go one step further; the only way you make big changes in a large software company is when the boss...
 
Tags: vulnerabilities, reduce security vulnerabilities, fewer security vulnerabilities, security vulnerabilities, source security bugs, bugs, major microsoft products, microsoft products, security
 
 
 
 
Expand article

Vendor disk failure rates: Myth or metric?

2008-04-04 05:19:32 by Editor in Computerworld Security News