No Clearance for This Secret: Information Assurance is MORE Than Security

Author: · March 29, 2012 · Filed Under General  - 0 Comment(s)

John Keane’s presentation: Software Code Quality Checking (SCQC) No Clearance for This Secret: Information Assurance is MORE Than Security was a great learning experience for me and many in the audience of the recent CAST / Galorath seminar in the Washington DC area.

The most striking conclusions from my viewpoint were:

  • Most forms of testing only find about 35% of the bugs that are present

  • Static analysis prior to testing is very quick and about 85% efficient

  • Static analysis tools find many defects and code violations and have an ROI on any serious project

  • Use of static analysis tools BEFORE manual peer reviews (which shouldn’t be completely eliminated based on static analysis) reduces cost and increases reliability

  • Use static analysis tools before security analysis tools.  This reduces the effort in security analysis by a huge amount.

  • QUALITY is the biggest driver of sustainment cost
  • The FOUNDATION of SECURE software is QUALITY software.
  • Software Assurance is 5 parts Code Quality with 2 parts Software Security.
  • Code Quality scans should ALWAYS precede Security scans
  • Improves effectiveness and efficiency of the security scans (e.g., remove ‘false positives,’ focus on highest risks, etc.)
  • Recommended Best Practice
  • Validated by MULTIPLE reports and analyses based on hands-on experience
  • Discovers risks in addition to security (e.g., performance)

John points out that Static code analysis, Static security analysis, Dynamic code analysis, Dynamic security analysis, and Architectural analysis are all helpful in building secure software.

 

Thank you for reading “Dan on Estimating”, if you would like more information about Galorath’s estimation models, please visit our contact page, call us at +1 310 414-3222 or click a button below to ask sales questions, sign up for our free library or schedule a demo.

This post was written by

Dan Galorath – who has written posts on Project Planning & Estimation.
Dan Galorath is the President and CEO of Galorath Incorporated and the chief architect of SEER-SEM, an algorithmic project management software application. He is a recognized expert in the fields of software estimation and sizing and the author of Software Sizing, Estimation, and Risk Management.

Email  • Google + • Facebook  • Twitter

Related posts:

  1. Quality Assurance As The Scapegoat.. And Putting Quality In The Hands of Developers I was at a best practices seminar in Toronto today. Great talks. But the most interesting talk was about the...
  2. Real Quality Assurance By Tom Gilb Tom is a real software visionary.. .Actually, Tom is the person I credit with coining the term “software metrics” many years...
  3. Common Criteria For Security SEER estimates the costs of the various levels of the common criteria (Common criteria for Information Technology Security Evaluation [CC]) ...
  4. Information Systems Risk Management Consortium: Capers Jones, Gary Gack, Leon Kappelman, Dan Galorath The consortium is the result of four of the industry’s leaders (Capers Jones, Gary Gack, Leon Kappelman, Dan Galorath) deciding to...
  5. More Software Project Failure / Challenge Information From CAI Bob Lawhorn of CAI, one of my favorite speakers, had a list of recent software project failure information.  Poorly defined...

Comments