There are two classes of security problems you need to fix.
The first is the "high priority" bugs, the ones with such severe consequences that you must fix them, even if they cost a lot to fix.
The other is the "low cost" bugs, one that cost so little to fix that, that it's worthwhile fixing them anyway even when they have no practical threat.
Programmers do this all the time. They fix "warnings" in their code simply to silence the warning-checker, even though there is no real problem with the code they've written.
Managing the process needs to be light-weight as well. Instead of individually tracked issues for every bug fixed by the programmer in this manner, there should probably be a single bug in the tracking database with the report. The programmer is given a budget of time to fix as many of the warnings they can, then at the end, report the number that they fixed.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment