Not so long ago, in the time when regulations and compliance initiatives did not mandate secure software development, the case to have organizations adopt secure software processes as part of their software development efforts was always a challenge.
The motivators that were used to champion security initiatives in software development was fear, uncertainty and doubt (FUD), but this was not very effective. Telling management that something disastrous (fear) could happen that could cause the organization great damage (doubt) anytime (uncertainty) was not often well received and security teams earned the reputation of being naysayers and traffic cops, impeding the business.
Organizations that were willing to accept high levels of risk often ignore security in the SDLC and those which were more paranoid sometimes ended up with overly excessive implementations of security in their SDLC. Metrics takes the FUD out of decision making and provides insight into the real state of security. Metrics also give the decision makers a quantitative and objective view of what
their state of security is.
沒有留言:
張貼留言