> That said, we should keep trying! I believe one answer is to take advantage > of relative metrics over time. >
I agree that this can be a practical starting point for organizations. I had a client starting down the path with static analysis, they have thousands of developers and many applications. They have a small software security team and they obviously cannot scan every single app. Worse, if they find something they don't necessarily have the governance in place to make sure that a lot of what they find gets addressed. So what we did was to get the CIO to give them one silver bullet a month. They scanned 8-10 apps per month, and whichever one came up worst based on the metrics in the group had to remediate. This approach has some incremental benefits - 1) it gets security out of the "its perfect or its broken business" 2) at least one project per month makes measurable improvements 3) the projects are not being compared to an ivory tower but rather to their peers who have to deliver under the same constraints, making the suggested remediations more palatable to the developers. There is no way to relativity, relativity is the way. -gp _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
