2015年5月3日 星期日

The importance of Security Metrics

Not so long ago, in the time when regulations and compliance initiatives did not mandate secure software development, the case to have organizations adopt secure software processes as part of their software development efforts  was always a challenge.
The motivators that were used to champion security  initiatives in software  development  was  fear,  uncertainty  and  doubt  (FUD),  but this was not very effective. Telling management that something disastrous  (fear) could happen that could cause the organization great damage (doubt)  anytime (uncertainty) was not often well received and security teams earned  the  reputation  of  being naysayers  and  traffic  cops,  impeding  the business.
Organizations that were willing to accept high levels of risk often ignore security in the SDLC and those which were more paranoid sometimes ended up with  overly excessive implementations of security in their SDLC. Metrics takes the  FUD out of decision making and provides insight into the real state of security. Metrics also give the decision makers a quantitative and objective view of what
their state of security is.

沒有留言:

張貼留言