Mark Curphey mark at curphey.com
Tue Mar 16 00:27:28 EST 2004

I know Carl was including a Principle that you should measure your testing.
I think there are lots of reasons for this that we can spell out including
improving educational effectiveness, understanding more vulnerable
applications and components etc. 

I have been working in this a lot with clients recently and measuring code
(KLOC's) and pen testing (need a good classification scheme like OASIS WAS
(shameless plug) is somewhat easier than measuring security the requirements
and design stages. 

Has anyone ever seen any work or have any thoughts on measuring security at
that stage of development ?

More information about the Owasp-testing mailing list