At 12:34 PM -0400 5/23/07, McGovern, James F (HTSC, IT) wrote: > If one can produce a metric, scorecard or other terms attractive to > modern IT executives, it is certainly more attractive than engineering > practices they don't understand.
A good metric would be what development process was used in development. "Relying exclusively on component reuse" might seem attractive to the accountants, but more thorough analysis would say it is not the solution to all problems. > Audit-oriented thinking also allows folks to put clauses into contracts > when enterprises procure software from third-parties and can mandate scans > by multiple tools that produce a score below say X Racing sailboat rigging gets periodic X-ray (or magnetic flux, I forget) scanning to find developing cracks. I presume the same is true for some types of aircraft. Certainly it is better to find the _cause_ of fatigue since it is possible to have a defect not caught by the scan. > while what you are proposing is a lot harder and requires more trust > when third parties are involved. How is trust involved ? Are you saying that vendors would lie about the kind of software development methodology they can use ? -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
