> > starting with establishing values and metrics maybe can help - e.g. > osstmm rav with scare? I tried to integrate ISECOM´s scare (Source Code > Analysis Risk Evaluation) into the Fedora Security Lab, but because > scare is licenced cc-by-nd as a software licence we could not. > Even if it is not the newest, the Secure Programming Standards > Methodology Manual SPSMM is maybe also worth a look. > > http://www.isecom.org/research/osstmm.html > http://www.isecom.org/research/spsmm.html > http://www.isecom.org/research/scare.html > I think using whatever exists is ideal, but in this instance we can't really use those things (we may be able to build some similar things ourselves though). This is one of the challenges we currently see in this area. There are A LOT of programs and projects and resources, but some aren't well licensed. Some are expensive, some are just plain bad. If someone knows of a good resource, be sure to speak up. The whole goal here is to keep communication flowing in the security space. If you know of something interesting, be sure to speak up. Thanks. -- Josh Bressers / Red Hat Product Security Team -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security