[Owasp-leaders] Metrics

James McGovern JMcGovern at virtusa.com
Tue Nov 30 11:09:01 EST 2010


I think I am saying that the label used shouldn’t be the OWASP Top Ten but should be the contents of the Web Application Security Framework Manifesto. When you look at food, you look at its composition, not its impact. For example, you would see things like sugar (ingredient) but you wouldn’t see things like diabetes (outcome if you consume too much of an ingredient). The Top Ten are things that can occur either when ingredients are missing (input validation) or are defective (e.g. broken auth models)

 

Nowadays, if you walk into a grocery store such as Whole Paycheck, Big Y, Stop & Shop, etc you will see that they also provided a methodology that translates heath into a single number where the scale is 1 (bad) to 100 (good). A consumer needs to be able to tell that eating a banana is more healthy than eating a whole box of Little Debbie’s Oatmeal Cream Pies (my favorite food). 

 

Anyway, I think what I am noodling is the value of OWASP creating a data warehouse along the lines of data.gov where <<consumers>> can mine security data and form their own conclusions…

 

James McGovern
Insurance SBU 

Virtusa Corporation

100 Northfield Drive, Suite 305 | Windsor, CT | 06095

Phone:  860 688 9900 Ext:  1037 | Facsimile:  860 688 2890  

  <http://www.virtusa.com/>    <http://www.virtusa.com/blog/>    <https://twitter.com/VirtusaCorp>    <http://www.linkedin.com/companies/virtusa>    <http://www.facebook.com/VirtusaCorp> 

 

From: Jeff Williams [mailto:jeff.williams at owasp.org] 
Sent: Monday, November 29, 2010 2:36 PM
To: owasp-leaders at lists.owasp.org
Cc: James McGovern
Subject: RE: [Owasp-leaders] Metrics

 

Hi James,

 

I studied a number of different labeling regimes and presented the results at OWASP AppSec DC 2010.  Here are the slides and what I intended to say is in the notes.

 

http://www.owasp.org/images/1/17/2010-11_OWASP_Software_Labels.pptx

 

The key finding from my research is that the content of the label doesn’t really matter that much. Even though it seems like the point is to inform the consumer, that doesn’t work very well.  Actually what you end up doing is affecting the producers.  Which is probably what we wanted to achieve in the first place.

 

You can try my “Security Facts” label generating software at:

 

https://www.aspectsecurity.com/SecurityFacts

 

Have fun!

 

--Jeff

 

Jeff Williams, Chair

The OWASP Foundation

work: 410-707-1487

main: 301-604-4882


Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list and 2010 FinTech 100 among others.

---------------------------------------------------------------------------------------------

This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.

---------------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101130/052c917d/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1397 bytes
Desc: image001.jpg
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101130/052c917d/attachment.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 744 bytes
Desc: image002.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101130/052c917d/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1211 bytes
Desc: image003.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101130/052c917d/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 789 bytes
Desc: image004.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101130/052c917d/attachment-0002.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 763 bytes
Desc: image005.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101130/052c917d/attachment-0003.gif 


More information about the OWASP-Leaders mailing list