How can an organization measure web application security?
When setting out to measure the security of a web application, there are a number of elements to consider. Direct measurements include the type of vulnerabilities as well as the presence of important security features, although information can also be gathered with an appraisal of the teams, policies, processes, and additional technologies that support the development effort. These indirect measures of an organization are highly predictive of whether an organization’s products are secure or not. Attributes that should be measured at the project level include security procedures in the software development lifecycle, development and testing technology, project personnel, and management structure. This information can be gathered by interviewing project participants, reviewing project documentation, evaluating training classes, or even by asking developers during security verifications. Attributes that should be measured at the organizational level include training programs, procedures f
