Home > Articles > Security > Software Security

Measuring the Effectiveness of Application Security Policies

  • Print
  • + Share This
It's easy for software vendors to insist that their products are safe, simply by pointing to the small numbers of vulnerabilities detected. But, as David Chisnall notes, statistics lie: Just because a package has few REPORTED vulnerabilities, that doesn't mean that it actually HAS few vulnerabilities, or address the severity of the holes that are reported. In this article Chisnall argues the true measure of security is what happens once a vulnerability is found.
Like this article? We recommend

Choosing the Right Measure

There have been a lot of reports in the news recently about the relative security of different platforms. For the most part, the press uses completely uninformative measures, such as the number of vulnerabilities found in a given time period—a measure orthogonal to the number of remaining vulnerabilities. If 10 vulnerabilities are found in one program and 20 in another, this doesn’t tell you anything about the number of vulnerabilities remaining.

The important question is not how many vulnerabilities are found, but what happens when one is discovered. It has been said that security is a process, not a state, but it’s also an attitude.

  • + Share This
  • 🔖 Save To Your Account