Yesterday at the Software Quality Conference in Zurich, we gave a keynote about Measuring Security and discussed this very interesting topic from different points of view (attacker view, suit view, geek view, etc.). It was great to see that the Quality community has a very natural attitude to security and that many quality assurance concepts can be applied for measuring security aspects, too.
At the end of the talk, we were asked how much of the development budget should be spent for security. After a short pause for thinking, the answer was "2%". An interesting discussion followed. How many people have planned more, exactly or less (including 0) than 2%. Another category was a few people that simply did not know the security budget.
The beauty of defining such a budget for security lies in 2 (maybe more) things. First, you make people think whether they considered security in the development lifecycle at all. Second, you can gather some experience, see whether (in this case) 2% are enough and adjust the value according to your needs.
We'd be interested in your thoughts and your experiences regarding the big question "how much security is enough?".
Abonnieren
Kommentare zum Post (Atom)
Keine Kommentare:
Kommentar veröffentlichen