[Owasp-codereview] Code Review Guide: Update

Sameer Kr Mishra, Noida sameerk.mishra at hcl.in
Mon Jun 2 01:17:14 EDT 2008

It is a challenging task ahead as a simple change in any of the stages
lead to a hike in the project cost. Hence, a measure should be taken so
as to check the vulnerability of the efforts that are being chosen to
make these changes. 


Yah I do agree Marco, the formulas are really empirical, It has no
correspondence to the declarative change or the effort made. A change in
the previous stages of SCM will lead to higher cost then that of the
later stages. 


A proper code review with the effective implementation is really a great
task ahead. !!!!!!!!!!!!! Yah its challenging too.


Lets have mock ups on that so that we can share the ideas in between us.




Sameer Kumar Mishra 



From: owasp-codereview-bounces at lists.owasp.org
[mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Marco M.
Sent: Saturday, May 31, 2008 7:49 AM
To: 'Eoin'; 'Paolo Perego'
Cc: Owasp-codereview at lists.owasp.org
Subject: Re: [Owasp-codereview] Code Review Guide: Update




I think have a factor on effort addresses what clients want in the
metrics of penetration testing reports besides risk severity
prioritization (based on my previous experience in consulting with


Also, please do not forget that these effort formulas are purely
empirical and as such not absolute and accurate. On the other hand we
all know that a declarative change is more effort intensive then a
coding change and that a design change is more effort intensive than all
above.  This is not rocket since (even I would hope to) but common


If we need more in depth rationalization on software security metrics I
can provide a paper but I think this beyond the context on what we are
looking for.




Marco M.



From: owasp-codereview-bounces at lists.owasp.org
[mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Friday, May 30, 2008 8:38 AM
To: Paolo Perego
Cc: Owasp-codereview at lists.owasp.org
Subject: Re: [Owasp-codereview] Code Review Guide: Update


Hi I do agree there are external factors but we cant take into account
all possible variations.

I thing some simple formula for effort of work / winfactor would be
really useful and adopted by consltancy.


Let me know what you think.


On 30/05/2008, Paolo Perego <thesp0nge at gmail.com> wrote: 

2008/5/29 Eoin <eoin.keary at owasp.org>:
> Severity  * Effort required to fix  = Win Factor (Easy win to fix)
>  -> This maps to a grid severity Vs Effort (like a risk matrix) shaded
> should be addressed.

Eoin, don't you thinks that "Effort required to fix" it depends to non
predictable external factors such as (how many people the development
team is comprised from? how much skills the developers have?)? It will
be difficult (IMHO) to formalize a score for "fixing effort" in order
to use for our Win Factor score.

What's your opinion about this?

On about Taxonomy or Vulnerability categories, I started writing
something on paper yesterday and I hope in this weekend to populate
some part of the wikipage so Marco, I'll gave the link and than we can
start a thread in mailing list talking about this topic.

Ciao ciao
Owasp-codereview mailing list
Owasp-codereview at lists.owasp.org

Eoin Keary OWASP - Ireland


The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. 
It shall not attach any liability on the originator or HCL or its affiliates. Any views or opinions presented in 
this email are solely those of the author and may not necessarily reflect the opinions of HCL or its affiliates. 
Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of 
this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have 
received this email in error please delete it and notify the sender immediately. Before opening any mail and 
attachments please check them for viruses and defect.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-codereview/attachments/20080602/58a18fc6/attachment.html 

More information about the Owasp-codereview mailing list