[SC-L] application assessment factories
Gary McGraw
gem at cigital.com
Thu Jul 17 13:31:29 EDT 2008
hi sc-l,
One of the problems we've faced more than once in our work at Cigital is mis-use of good metrics. A great example of a very useful metric that can be misused is cost per bug (or cost per defect if you are also interested in flaws). We've seen CIO-level managers comparing pen testing to code review with a static analysis tool in terms of this metric---something that can be entirely misleading. In order to combat that problem, we've been instantiating application assessment factories with our customers.
I briefly describe the concept (which was invented by John Steven) in my InformIT column this month. Check it out:
http://www.informit.com/articles/article.aspx?p=1231818
gem
company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
More information about the SC-L
mailing list