Security debt seems to me a very useful concept. Thanks, Chris. As I pointed out in my blog post (http://www.artima.com/weblogs/viewpost.jsp?thread=320875), I do not believe in quantitative models though. Clearly, it is interesting to try to nail the factors that contribute to the cost and to establish whether it is cheaper to pay back or service the debt, but to put numbers on these costs is smoke and mirrors imho.
kr, Yo On Sun, Mar 6, 2011 at 6:19 PM, Sammy Migues <smig...@cigital.com> wrote: > Just in case others have missed it, there’s a response from Russell Thomas > on the New School blog at > http://newschoolsecurity.com/2011/03/fixes-to-wysophal’s-application-security-debt-metric/. > > > > > > > > From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] > On Behalf Of Chris Wysopal > Sent: Friday, March 04, 2011 7:38 PM > To: SC-L@securecoding.org > Subject: [SC-L] Application Security Debt and Application Interest Rates > > > > > > I have a couple of blog posts modeling application vulnerabilities the way > you might think of technical debt. > > > > Part I: Application Security Debt and Application Interest Rates > > http://www.veracode.com/blog/2011/02/application-security-debt-and-application-interest-rates/ > > > > Part II: A Financial Model for Application Security Debt > > http://www.veracode.com/blog/2011/03/a-financial-model-for-application-security-debt/ > > > > -Chris > > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates > _______________________________________________ > > -- Johan Peeters http://johanpeeters.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
