What do you tell a C-level exec in terms of h/c and time it will take to
fix web app vulnerabilities discovered in a website?

        X number of vulnerabilities = Y h/c and Z time.

Of course there's a host of factors/variables involved that could wind
up looking like actuarial tables or DNA sequences (!), but what we'd
like to be able to do is sum it up as an initial swag and let the app
owners use it as a factor in calculating the actual time to remediate.

Anyone done this or like to take a swipe?

Chris McCown, GSEC(Gold)
Intel Corporation
* (916) 377-9428 | * [EMAIL PROTECTED]

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to