At 10:51 PM 29/08/2007, McGovern, James F (HTSC, IT) wrote:

>- So when a vendor says that they are focused on quality and not
>security, and vice versa what exactly does this mean? I don't have a
>great mental model of something that is a security concern that isn't a
>predictor of quality. Likewise, in terms of quality, other than
>producing metrics on things such as depth of inheritance, cyclomatic
>complexity, etc wouldn't bad numbers here at least be a predictor of a
>bad design and therefore warrant deeper inspection from a security

My opinion is that security and quality are inherently related. Poor 
security indicates poor design, poor testing etc  poor quality 
management tends to result in poor application security..

In fact two jobs ago I used this argument to implement security at a 
company who was extremely strong in quality (5% of the workforce 
belonged to the quality dept). I've also found that using "quality" 
tools such as FMECA etc for security assessments works very easily.


Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to