Measuring the Effectiveness of Application Security Policies
Choosing the Right Measure
There have been a lot of reports in the news recently about the relative security of different platforms. For the most part, the press uses completely uninformative measures, such as the number of vulnerabilities found in a given time period—a measure orthogonal to the number of remaining vulnerabilities. If 10 vulnerabilities are found in one program and 20 in another, this doesn’t tell you anything about the number of vulnerabilities remaining.
The important question is not how many vulnerabilities are found, but what happens when one is discovered. It has been said that security is a process, not a state, but it’s also an attitude.