At 9:50 AM -0400 7/19/07, McGovern, James F (HTSC, IT) wrote:
> I would actually recommend AGAINST using prior track records for fixing
> previous vulnerabilities because in all honestly they probably don't
> track it. Most enterprises prioritize any type of defect based on the
> importance as de
By now, pretty much everyone is familiar with PCI and section 6 which
outlines the ten things an application but resolve. Many of the secure
coding tools such as Ounce Labs, Klokwork, etc have automated the
ability to inspect code but have only focused on languages such as Java
and .NET. I would
I would actually recommend AGAINST using prior track records for fixing
previous vulnerabilities because in all honestly they probably don't
track it. Most enterprises prioritize any type of defect based on the
importance as declared by business users whom traditionally would
prioritize a spelling
I wish formulas were the solution to your question. The problem is that
the answer is heavily dependent upon the background of the C-level
executive. Some C-Level executives have an analytical background where
their backgrounds could have been actuarial, IT, statistics, etc where
they would underst
At 8:53 AM -0700 7/18/07, McCown, Christian M wrote:
> Content-class: urn:content-classes:message
> Content-Type: multipart/alternative;
> boundary="_=_NextPart_001_01C7C953.D03CBE5C"
>
> What do you tell a C-level exec in terms of h/c and time it will take to
>fix web app vulnerabilities