I am attempting to figure out how other Fortune enterprises have went about
selling the need for secure coding practices and can't seem to find the answer
I seek. Essentially, I have discovered that one of a few scenarios exist (a)
the leadership chain was highly technical and intuitively
Very interesting. Crispin is in the throes of big software. Anybody want to
help me mount a rescue campaign from jamaica?
gem
company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
-Original Message-
From: Crispin Cowan
Gary McGraw wrote:
I'm not sure vista is bombing because of good quality. That certainly would
be ironic.
Word on the way down in the guts street is that vista is too many things
cobbled together into one big kinda functioning mess.
I.e. it is mis-featured, and lacks on some
Crispin Cowan wrote:
Crispin, now believes that users are fundamentally what holds back security
I was once berated on stage by Jamie Lewis for sounding like I was
placing the blame for poor security on customers themselves.
I have moved on, and believe, instead, that it is the economic
In terms of creating a SDLC, pop out to Borders and get Howard and Lipner¹s
³The Security Development Lifecycle² ISBN 9780735622142
http://www.microsoft.com/mspress/books/8753.aspx
It is simply the best text I¹ve read in a long time.
You may be interested in the work Mark Curphey et al is doing
Ed Reed wrote:
Crispin Cowan wrote:
Crispin, now believes that users are fundamentally what holds back security
I was once berated on stage by Jamie Lewis for sounding like I was
placing the blame for poor security on customers themselves.
Fight back harder. Jamie is wrong.
Andrew, James,
Agreed, Microsoft has put some interesting thoughts out in their SDL
book. Companies that produce a software product will find a lot of
this approach resonates well. IT shops supporting financial houses
will have more difficulty. McGraw wrote a decent blog entry on this
On Mon, 19 Mar 2007, Crispin Cowan wrote:
Since many users are economically motivated, this may explain why users
don't care much about security :)
But... but... but...
I understand the sentiment, but there's something missing in it. Namely,
that the costs related to security are not really