Software Security Metrics
This point is well taken. In my May 12, 2008 column “Metrics Revisited – Application Security Metrics,” I begin by stating that “… there aren’t any good [application security metrics].” I am still concerned that current metrics do not actually measure the security strength of software. Significant work needs to be done in this area in order to come up with truly useful metrics.
Involving QA and Audit
Getting anybody involved in application security has always been a challenge. I have often told the story of the difficulties I had in getting the long-time head of an IT project management office to agree to include security in the SDLC (System Development Lifecycle) – the end result: he wouldn’t agree to it! I have always asserted that Quality Assurance be brought in at the start of any development project and kept in the loop all along. The QA analysts also need to be on a par with developers in regard to secure software development if they are to do an adequate job.
The same goes for the auditors. It’s bad news when auditors first see a critical application in a post-implementation review. They need to be in on the design stage and follow through on development and testing. That way concerns are voiced early enough in the process for cost-effective changes – the heart of the build-security-in concept – rather than having to engage in costly bolt-on solutions. For this to be successful, the auditors need to be open to this kind of involvement.
Popularity: 4%
