Comments on: Show 026 - An Interview with Adam Shostack http://www.cigital.com/silverbullet/show-026/ In-depth conversations with leading security gurus, hosted by Gary McGraw, sponsored by IEEE Security & Privacy Magazine. Wed, 03 Dec 2008 07:10:57 +0000 http://wordpress.org/?v=2.6.5 By: Stephen Craig Evans http://www.cigital.com/silverbullet/show-026/#comment-29299 Stephen Craig Evans Fri, 23 May 2008 04:32:16 +0000 http://www.cigital.com/silverbullet/show-026/#comment-29299 Another home run, Gary, but it could have been twice as long! I'm looking forward to getting the book. In general, I think we are getting to the same point in time (and maturity) similar to some of the BSVs (Big Security Vendors) who still put out white papers that profoundly point out that software security is important. Meaning, we know that we need metrics to measure effectiveness and to be able to decide where to spend the money (also brought up by Mary Ann Davidson in your podcast with her). I guess I should go check out what the Metrics Guys are doing (revisit Jaquith's book, check out Metricon, etc). They're probably a couple of years ahead of me. I wonder why as a community that we aren't talking more about application classification. I have seen only this paper: The Importance of Application Classification in Secure Application Development http://www.webappsec.org/projects/articles/041607.shtml It seems that that would be a first step in putting price tags on software security efforts. And software security pros would have that knowledge, especially consultants that do different types of engagements. Keep'em coming, Stephen Another home run, Gary, but it could have been twice as long! I’m looking forward to getting the book.

In general, I think we are getting to the same point in time (and maturity) similar to some of the BSVs (Big Security Vendors) who still put out white papers that profoundly point out that software security is important. Meaning, we know that we need metrics to measure effectiveness and to be able to decide where to spend the money (also brought up by Mary Ann Davidson in your podcast with her).

I guess I should go check out what the Metrics Guys are doing (revisit Jaquith’s book, check out Metricon, etc). They’re probably a couple of years ahead of me.

I wonder why as a community that we aren’t talking more about application classification. I have seen only this paper:
The Importance of Application Classification in Secure Application Development
http://www.webappsec.org/projects/articles/041607.shtml

It seems that that would be a first step in putting price tags on software security efforts. And software security pros would have that knowledge, especially consultants that do different types of engagements.

Keep’em coming,
Stephen

]]>