Gary, I would love a little refinement of the benefits to badnessometers. Let's 
say I get a tool to tell me something I already suspect is wrong, what 
percentage of the population are better than they expected? The reason why I 
ask this question is that in our culture if I have a sense something is wrong, 
it usually isn't that difficult to find metrics as to why it is bad and 
therefore may have the perception of crying wolf as there are lots of bad 
things in all IT systems. Sometimes, going from good to great is a better 
approach than fixing bad and going to good.

Is it better to do such a badness test by doing a POC with one of the tool 
vendors in this space or do I get additional lift by going with a consulting 
firm in this regard (other than an opportunity to be smoozed regarding 
subsequent engagements and reused powerpoints and collateral from other gigs)?

What would it take to get some industry analyst coverage in this space? Lots of 
folks may be of the belief that it is a waste of time bothering but I would 
love to at least know if any of the firms here have at least made the effort.

-----Original Message-----
From: Gary McGraw [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 02, 2007 1:35 PM
To: McGovern, James F (HTSC, IT);
Subject: RE: [SC-L] Building Security In vs Auditing

Hi all,

Very good questions.  

I think a service like the one you describe would be useful mostly as a way of 
identifying the depth of the problem.  Simply wielding a tool as a consultant 
does nothing to train the guys creating bugs not to do so in the future...and 
so the market will correct that over time in an efficient way.  But the fact 
remains that many potential customers and users of static analysis tools have 
no idea how much of a mess they have.  An outsourcing approach could help with 
that.  They'll find out they need em.

I believe so strongly in the "do anything to get started" thing that I also 
endorse the use of (really amazingly silly) application security testing tools. 
 I call these badnessometers (see chapter 1 of "software security"...and ken's 
slides for that matter).  But knowing that your web code sucks is better than 
remaining completely clueless.

In the end, tool integration *into dev* is the key to success with static 
analysis.  Many of our customers are having huge enterprise-wide success 
because they are learning to use, feed, tune, and train dev about these tools.  
The best are recycling the things they learn about their code back into 
training (and into better rules to enforce).



This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to