[Owasp-codereview] Code Review Guide: Update
Marco M. Morana
marco.m.morana at gmail.com
Fri May 30 22:18:33 EDT 2008
I think have a factor on effort addresses what clients want in the metrics
of penetration testing reports besides risk severity prioritization (based
on my previous experience in consulting with Foundstone/McAfee)
Also, please do not forget that these effort formulas are purely empirical
and as such not absolute and accurate. On the other hand we all know that a
declarative change is more effort intensive then a coding change and that a
design change is more effort intensive than all above. This is not rocket
since (even I would hope to) but common sense.
If we need more in depth rationalization on software security metrics I can
provide a paper but I think this beyond the context on what we are looking
From: owasp-codereview-bounces at lists.owasp.org
[mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Friday, May 30, 2008 8:38 AM
To: Paolo Perego
Cc: Owasp-codereview at lists.owasp.org
Subject: Re: [Owasp-codereview] Code Review Guide: Update
Hi I do agree there are external factors but we cant take into account all
I thing some simple formula for effort of work / winfactor would be really
useful and adopted by consltancy.
Let me know what you think.
On 30/05/2008, Paolo Perego <thesp0nge at gmail.com> wrote:
2008/5/29 Eoin <eoin.keary at owasp.org>:
> Severity * Effort required to fix = Win Factor (Easy win to fix)
> -> This maps to a grid severity Vs Effort (like a risk matrix) shaded
> should be addressed.
Eoin, don't you thinks that "Effort required to fix" it depends to non
predictable external factors such as (how many people the development
team is comprised from? how much skills the developers have?)? It will
be difficult (IMHO) to formalize a score for "fixing effort" in order
to use for our Win Factor score.
What's your opinion about this?
On about Taxonomy or Vulnerability categories, I started writing
something on paper yesterday and I hope in this weekend to populate
some part of the wikipage so Marco, I'll gave the link and than we can
start a thread in mailing list talking about this topic.
Owasp-codereview mailing list
Owasp-codereview at lists.owasp.org
Eoin Keary OWASP - Ireland
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-codereview