Secure Coding mailing list archives
Re: Application Security Debt and Application Interest Rates
From: Chris Wysopal <cwysopal () veracode com>
Date: Mon, 7 Mar 2011 07:51:27 -0500
Once you have a model and some rough data sources you can iterate and attempt precision that is useable. I agree that the precision isn't there yet (my scientific way of saying "smoke and mirrors") but I won't rule out that this can get good enough to be used for decision making. There are decisions being made on app sec spending but it is ad hoc right now. Organizations are spending money of app sec and they are also spending money on cleaning up breaches. They do think about reducing breach costs to the organization. This model can help them do that. -Chris -----Original Message----- From: sc-l-bounces () securecoding org [mailto:sc-l-bounces () securecoding org] On Behalf Of Johan Peeters Sent: Sunday, March 06, 2011 12:53 PM To: SC-L () securecoding org Subject: Re: [SC-L] Application Security Debt and Application Interest Rates Security debt seems to me a very useful concept. Thanks, Chris. As I pointed out in my blog post (http://www.artima.com/weblogs/viewpost.jsp?thread=320875), I do not believe in quantitative models though. Clearly, it is interesting to try to nail the factors that contribute to the cost and to establish whether it is cheaper to pay back or service the debt, but to put numbers on these costs is smoke and mirrors imho. kr, Yo On Sun, Mar 6, 2011 at 6:19 PM, Sammy Migues <SMigues () cigital com> wrote:
Just in case others have missed it, there’s a response from Russell Thomas on the New School blog at http://newschoolsecurity.com/2011/03/fixes-to-wysophal’s-application-security-debt-metric/. From: sc-l-bounces () securecoding org [mailto:sc-l-bounces () securecoding org] On Behalf Of Chris Wysopal Sent: Friday, March 04, 2011 7:38 PM To: SC-L () securecoding org Subject: [SC-L] Application Security Debt and Application Interest Rates I have a couple of blog posts modeling application vulnerabilities the way you might think of technical debt. Part I: Application Security Debt and Application Interest Rates http://www.veracode.com/blog/2011/02/application-security-debt-and-app lication-interest-rates/ Part II: A Financial Model for Application Security Debt http://www.veracode.com/blog/2011/03/a-financial-model-for-application -security-debt/ -Chris _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
-- Johan Peeters http://johanpeeters.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Application Security Debt and Application Interest Rates Chris Wysopal (Mar 06)
- Re: Application Security Debt and Application Interest Rates Sammy Migues (Mar 06)
- Re: Application Security Debt and Application Interest Rates Johan Peeters (Mar 06)
- Re: Application Security Debt and Application Interest Rates Chris Wysopal (Mar 07)
- Re: Application Security Debt and Application Interest Rates Johan Peeters (Mar 06)
- Re: Application Security Debt and Application Interest Rates Sammy Migues (Mar 06)