hi sc-l, One of the problems we've faced more than once in our work at Cigital is mis-use of good metrics. A great example of a very useful metric that can be misused is cost per bug (or cost per defect if you are also interested in flaws). We've seen CIO-level managers comparing pen testing to code review with a static analysis tool in terms of this metric---something that can be entirely misleading. In order to combat that problem, we've been instantiating application assessment factories with our customers.
I briefly describe the concept (which was invented by John Steven) in my InformIT column this month. Check it out: http://www.informit.com/articles/article.aspx?p=1231818 gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
