Comments on: Dave Maynor has Saved the World!!

By: Andy Steingruebl

Andy Steingruebl — Sun, 20 Apr 2008 00:49:13 +0000

I wrote a piece about this because I think there is some confusion about who the metrics are for. Audience matters.

http://securityretentive.blogspot.com/2008/04/metrics-and-audience.html

By: Terje

Terje — Fri, 18 Apr 2008 16:10:15 +0000

Wow. You are an idiot. Why would you compare a not released version of Oracle with a Non-Released version of SQL. Umm. You wouldn’t. Whether your talking about Vulnerabilities bugs. You vet the code for all of these. You find these things before it’s release.

Oh, I get it. You’re an Open-Source fan and basically all Open-Source is ‘work-in-progress’ so …

And Andy… “in private during the development cycle” = you’ll never see it. Duh.

By: Patrick Boyd

Patrick Boyd — Fri, 18 Apr 2008 15:10:36 +0000

I think your missing one of the vital parts of SDL. Which is the focus on internal security testing and a focus on secure design (not just implementation). The fact that these catch security bugs or catch insecure features before they are released to customers reduce the number of total vulnerabilities in the release version which reduces the number of publicly disclosed vulnerabilities.

I think this is as good a metric as you can come up with to measure the success of the SDL.

By: Ryan Naraine

Ryan Naraine — Fri, 18 Apr 2008 12:13:13 +0000

dude, get on twitter and quit the moaning

PS: maynor is spectacularly wrong.

By: Andy

Andy — Thu, 17 Apr 2008 20:18:25 +0000

I’m with you Pete. Perhaps in this case Dave just can’t read?

Its quite simple really.

Software Security = number of vulns
Number of vulns found and publicly disclosed != software security

Seems like pretty simple logic.