Secure Coding mailing list archives
Metrics
From: arian.evans at anachronic.com (Arian J. Evans)
Date: Fri, 5 Feb 2010 08:50:37 -0800
In the web security world it doesn't seem to matter much. Top(n) Lists are Top(n). There is much ideological disagreement over what goes in those lists and why, but the ratios of defects are fairly consistent. Both with managed code and with "scripting" languages. The WhiteHat Security statistics report provides some interesting insights into this, particularly the last one. It's one of the only public stats reports out there for webappsec that I know of. I have observed what I've thought to be differences anecdotally, but when we crunch the numbers on a large scale, they average out and issue ratios are fairly consistent. Which shows you the dangerous power of anecdotes, and statistically small samples, to be misleading. --- Arian Evans Software Security Statistician On Fri, Feb 5, 2010 at 7:07 AM, McGovern, James F. (eBusiness) <James.McGovern at thehartford.com> wrote:
Here's an example. ?In the BSIMM, ?10 of 30 firms have built top-N buglists based on their >own data culled from their >own code. ?I would love to see how those top-n lists compare to the > OWASP top ten or the CWE-25. ?I would also love to see whether the union of these lists iseven remotely interesting.One of the general patterns I noted while providing feedback to the OWASP Top Ten listserv is that top ten lists do sort differently. Within an enterprise setting, it is typical for enterprise applications to be built on Java, .NET or other compiled languages where as if I were doing an Internet startup I may leverage more scripting approaches. So, if different demographics have different behaviors what would a converged list or even a separate list tell us? ************************************************************ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. ?If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. ?If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************ _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- BSIMM update (informIT), (continued)
- BSIMM update (informIT) Gary McGraw (Feb 03)
- BSIMM update (informIT) Mike Boberski (Feb 03)
- BSIMM update (informIT) Steven M. Christey (Feb 03)
- BSIMM update (informIT) Jim Manico (Feb 04)
- BSIMM update (informIT) Steven M. Christey (Feb 04)
- BSIMM update (informIT) Gary McGraw (Feb 04)
- Thread is dead -- Re: BSIMM update (informIT) Kenneth Van Wyk (Feb 04)
- Message not available
- Message not available
- BSIMM update (informIT) Steven M. Christey (Feb 04)
- Metrics McGovern, James F. (eBusiness) (Feb 05)
- Metrics Steven M. Christey (Feb 05)
- Metrics Arian J. Evans (Feb 05)
- BSIMM update (informIT) Steven M. Christey (Feb 02)
- BSIMM update (informIT) Mike Boberski (Feb 02)
- BSIMM update (informIT) Gary McGraw (Feb 03)