May I share another perspective. 1. The debate between open source vs. closed source in terms of security doesn't matter. Does anyone has any metrics that quantify the economics of writing better corporate software not for public consumption?
2. If you can't make the economic case, then you can possibly make the case of indexing yourself to others. I know folks opinion here in terms of keeping up with the Jones's but unless someone brainstorms a way for folks to do this, the economic case may never be made. 3. When one looks at metrics and more importantly maturity models, they almost always measure process and tend to avoid measuring either people and/or technology. If security folks figuring out how to measure people, process and technology then additional opportunities for secure coding practices may expose themselves. ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
