In my humble opinion the OWASP Appsensor<http://www.owasp.org/index.php/OWASP_AppSensor_Project>is a much better start at a useful set of metrics. (At least for AppSec)
-- Dennis Groves, MSc On Mon, Feb 7, 2011 at 5:01 PM, Steve Lord <[email protected]> wrote: > On 06/02/2011 15:58, Dave Aitel wrote: >> So I was at a meeting last week, and one of the high ranking members >> said something like this, which I'm sure you've heard before: >> >> Member: We've improved our communications by setting up this great >> website! It allows us to communicate all our super-important and >> highly confidential information. We had a marketing team put it >> together so it looks really professional and nice and is easy to use. >> We think this will really help our mission. Oh, and we had a friend of >> a friend do a quick free security scan for us, so it's secure too. >> >> So here's my simple and 100% accurate metric: If you spent more on >> your GUI than on your security, you don't have a secure application. >> Start preparing for the PR fallout of your website getting hacked now. > > I think you're using an extreme example there, but there's definitely a > correlation between the relative amount of money spent on security and > the overall cost of a solution. > > I prefer questions like "Is your source code control based on copying > folders on a file server and sticking _001, _002 on the end?" and "When > did you stop beating your developers?" as gauges of how bad it's going > to be. > > -- > Steve Lord > Mandalorian Security Services > w: http://www.mandalorian.com > e: [email protected] > > Get the latest Information Security News at > Infosec Update: http://news.mandalorian.com > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave >
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
