Reposted with permission, FYI...
Cheers,
Ken
SC-L Moderator
Begin forwarded message:
From: Pete Herzog [EMAIL PROTECTED]
Date: November 30, 2007 10:30:18 AM EST
To: [EMAIL PROTECTED]
Subject: SCARE metrics and tool release
Hi,
Scare, the Source Code Analysis Risk Evaluation tool for
IMO the path to changing the dynamics for secure coding will reside in
the market, the courts, and the capacity of the software industry to
measure and test itself and to demonstrate the desired properties of
security, quality, and suitability for purpose. In today's market we do
well in
Just as a traditional manufacturer would pay less tax by
becoming greener, the software manufacturer would pay less
tax for producing cleaner code, [...]
And all of this completely ignores the $0 software market. Who
gets hit with tax when a bug is found in, say, the Linux
On Nov 29, 2007, at 6:35 PM, Leichter, Jerry wrote:
So he's not completely naive, though the history of security metrics
and
standards - which tend to produce code that satisfies the standards
without being any more secure - should certainly give on pause.
One could, I suppose, give rebates
On Fri, 30 Nov 2007, Shea, Brian A wrote:
Software vendors will need a 3 tier approach to software security: Dev
training and certification, internal source testing, external
independent audit and rating.
I don't think I've seen enough emphasis on this latter item. A
sufficiently vibrant
| Just as a traditional manufacturer would pay less tax by
| becoming greener, the software manufacturer would pay less tax
| for producing cleaner code, [...]
|
| One could, I suppose, give rebates based on actual field experience:
| Look at the number of security problems
