Yet another perspective. I believe that this question may be somewhat
flawed as it doesn't take into consideration certain demographic
challenges. Right now the model seems to be based on either being
academic (sitting through a semester of some old fog with no real-world
experience blabbering
We are NOT craftsmen by any stretch of the imagination. If you have ever
worked in a large enterprise, the ability to change roles and be fluid
in one's career is rewarding yet has unintended consequences.
If I went to my boss tomorrow and said that I no longer want to be an
architect and
Are there any industry metrics that indicate what percentage of
full-time software developers actually learned coding in a university
setting? I actually learned in high-school, focused on business
administration in college (easiest major on the planet) and
learned/matured on the job. Likewise, I
Here is where my enterpriseyness will show. I believe the answer to the
question of where secure coding belongs in the curiculum is somewhat
flawed and requires addressing the curiculum holistically.
If you go to art school, you are required to study the works of the
masters. You don't attempt
The market for doing freelance writing has all but disappeared. You
could consider writing a book but you would probably earn more money
working at MacDonalds bagging fries than writing. In terms of
presentations, most conferences/events also do not pay. If you managed
to however put together
@securecoding.org
ORGANIZER;CN=McGovern, James F (HTSC, IT):MAILTO:james.mcgov...@thehartfo
rd.com
LOCATION:The Hartford: 55 Farmington Avenue\, The Great Room
DTEND;TZID=(GMT-05.00) Eastern Time (US Canada):20090413T18
DESCRIPTION:The Hartford Chapter of OWASP is pleased to announce Scott Ambl
Some questions that I would have asked:
1. The trend towards offshoring software development is increasing. When
do you think customers will be able to have confidence in the ability of
outsourcing vendors to develop secure software without it being
considered a special service?
2. Do you think
Asking about security in terms of an RFP is a big joke and reminds me
of tactics I used in sixth grade when I used to figure out creative ways
of answering a question by turning the question into an answer. One has
to acknowledge that RFPs are not authoratative and are usually completed
by sales
Message-
From: Jim Manico [mailto:[EMAIL PROTECTED]
Sent: Monday, December 01, 2008 4:44 PM
To: McGovern, James F (HTSC, IT)
Cc: SC-L@securecoding.org
Subject: Re: [SC-L] FW: How Can You Tell It Is Written Securely?
I think adding clear security requirements at the contractual level
Some other thoughts that I haven't heard others mention?
1. OK, if you find that they didn't meet all the security requirements,
will your business customers still want you to put it into production
anyway? If the answer is yes, do you still want them to support it? How
do we quantify who is
Awhile back, I got asked the same question and realized that at some
level the question is flawed. Many large enterprises have standards
documents that sit on the shelf and the need to create more didn't feel
right. Instead, we feel to the posture that we should inverse the
problem and instead
The framework that Pravir put together is pretty good. Brian and I did
have a conversation awhile back regarding donating it to OWASP for
continuation. I plan on making our firm one of the public case studies
once they contribute.
-Original Message-
From: [EMAIL PROTECTED]
OWASP needs your help with a new important project.
We're creating the OWASP Application Security Desk Reference (ASDR) to
capture and organize all the foundational knowledge in application
security. Like the Physicians' Desk Reference for doctors, this book is
a well-organized reference work
I am launching the Hartford CT area chapter of OWASP and figured I
would ask if anyone on this list is from my side of town. Likewise, if
you know of others that would like to attend our users group, have them
subscribe to our mailing list: http://www.owasp.org/index.php/Hartford
I am pretty
The vast majority of IT executives are unfamiliar with all of the
principles of security, firewalls, coding, whatever.
Are they unfamiliar because of background or they feel that their staff
has a handle on it and therefore don't need to pay much atention to it.
Both have different
I have observed an interesting behavior in that the vast majority of IT
executives still haven't heard about the principles behind secure
coding. My take says that we are publishing information in all the wrong
places. IT executives don't really read ACM, IEEE or other the sporadic
posting from
I publicly support Gunnar's assertion that folks in large enterprises
need to get together as a collective to drive secure coding practices.
If you know of others, please do not hesitate to have them connect to me
via LinkedIn (I am bad with managing contact information) and I will
most certainly
I was thinking that there is an opportunity for us otherwise lazy
enterprisey types to do our part in order to promote secure coding in an
open source way. Small vendors tend to be filled with lots of folks that
know C, Java and .NET but may not have anyone who knows COBOL.
Minimally, they
One thing that I am firm in my belief is that process is not a substitute for
competence. Imagine taking lots of overweight IT guys and training them to ride
a horse. That doesn't mean that they will go on to become successful horse
jockeys and you would be dumb to bet on them.
In terms of
Upon reading this, I had several thoughts come to mind:
1. If we are to truly solve the last mile, we need to also choose more
mainstream conferences such as STPCon (http://www.stpcon.com) since they
also have an associated magazine (Software Test and Performance) which
may stimulate more
My general observation of training firms in this area is that they all
tend to use freelance trainers who float between the firms. The notion
of customized courseware is something they sell as a feature but
honestly feels more like a way to avoid actually developing consistent
training approaches
Many folks have talked about certification of individuals but is there
merit in noodling the notion of a security maturity model? What if
end-customers could rank their software vendors in a transparent manner
in the same way that outsourcing firms pursue CMMi?
The notion of third-party
I wish formulas were the solution to your question. The problem is that
the answer is heavily dependent upon the background of the C-level
executive. Some C-Level executives have an analytical background where
their backgrounds could have been actuarial, IT, statistics, etc where
they would
I would actually recommend AGAINST using prior track records for fixing
previous vulnerabilities because in all honestly they probably don't
track it. Most enterprises prioritize any type of defect based on the
importance as declared by business users whom traditionally would
prioritize a
I was thinking, Instead of the next frontier, how about another
frontier? Many software vendors pretend that the entire world is either
Java or .NET without acknowledging that all of the really good data in
many enterprises is sitting on a big ugly mainframe running COBOL, IMS,
PL/1, etc. It is
, 2007 4:38 PM
To: Secure Coding
Subject: Re: [SC-L] The Next Frontier
On 6/26/07 5:00 PM, McGovern, James F (HTSC, IT)
[EMAIL PROTECTED] wrote:
Would there be value in terms of defining an XML schema that all tools
could emit audit information to?
You might want to take a look at what
Jerry Leichter commented on flaws in scanning tools but I have a
different question. Lots of folks love to attack MS while letting other
vendors off the hook.Is there merit in terms of comparing vendor
offerings within a particular product line. For example is EMC's
Documentum product more secure
The next problem to be solved is moving higher up the food chain by teaching
architects secure architecture principles. Would love to see Gary McGraw tackle
this subject in his next book...
From: [EMAIL PROTECTED] on behalf of Kenneth Van Wyk
Sent: Sun
I really hope that this email doesn't generate a ton of offline emails and hope
that folks will talk publicly. It has been my latest thinking that the value of
tools in this space are not really targeted at developers but should be
targeted at executives who care about overall quality and
is also equally useful.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Steven M. Christey
Sent: Tuesday, May 22, 2007 12:53 PM
To: McGovern, James F (HTSC, IT)
Cc: SC-L@securecoding.org
Subject: Re: [SC-L] Tools: Evaluation Criteria
On Tue, 22 May 2007
We will shortly be starting an evaluation of tools to assist in the secure
coding practices initiative and have been wildly successful in finding lots of
consultants who can assist us in evaluating but absolutely zero in terms of
finding RFI/RFPs of others who have travelled this path before
I agree. The two that I feel should be next in terms of developing
certifications around are:
- How to describe misuse case and dangerous ommissions for people writing
functional specifications: This is highly applicable in outsourcing
environments including the Federal Government
- Strong
members here will also be in attendance at the TechForum in NYC
(http://www.techforum.com/sf2007_1/index.html) would love to hook up for lunch.
-Original Message-
From: Gary McGraw [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 16, 2007 4:26 PM
To: McGovern, James F (HTSC, IT); 'SC-L
McGraw [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 24, 2007 11:24 AM
To: McGovern, James F (HTSC, IT)
Cc: SC-L@securecoding.org
Subject: RE: [SC-L] How big is the market?
Got it. I like dr. dobbs OK. Do you see that one around? It has
software security content every once in a while. What
FYI. Awhile back I mentioned the Technology Managers Forum in which I am a
participant. The agenda is finalized and secure coding practices was the number
one topic: http://www.techforum.com/sf2007_1/index.html For product vendors and
consulting firms that want access to key decision makers,
Would it be possible for upcoming episodes to have an individual who is
directly employed by a Fortune enterprise whose primary business model isn't
technology? Way too many software vendors, consultants and folks from academia.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
One thing that I can say is that vendors sometimes are doing themselves a
disservice in terms of getting software security to grow even faster. Currently
anything that has the word security in it automatically gets redirected to
information protection types in large enterprises who usually are
http://www.bookpool.com/sm/1590597842
Any thoughts positive and negative on this book?
*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or
favor...
-Original Message-
From: Gary McGraw [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 04, 2007 10:01 AM
To: McGovern, James F (HTSC, IT); SC-L@securecoding.org
Subject: RE: [SC-L] Darkreading: compliance
Hi all,
Another big momentum machine for software security (and data
To: McGovern, James F (HTSC, IT)
Subject: Need Sec Forum speakers-let us know by Wed. if interested
TechForum members: Need speakers for panels-please let us know by Wednesday
afternoon
Dear Members of Technology Managers
own exposure...
-Original Message-
From: Wall, Kevin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 20, 2007 9:16 PM
To: McGovern, James F (HTSC, IT)
Cc: sc-l@securecoding.org
Subject: RE: [SC-L] Economics of Software Vulnerabilities
James McGovern apparently wrote...
The uprising from
deck that
others who have blazed this path before me have used to sell the notion to
their executives.
-Original Message-
From: Andrew van der Stock [mailto:[EMAIL PROTECTED]
Sent: Monday, March 19, 2007 5:06 PM
To: McGovern, James F (HTSC, IT)
Cc: SC-L
Subject: Re: [SC-L] How is secure
Quick question for folks here. I participate in multiple user-groups and the
topic of secure coding practices has never appeared. What would it take for a
software vendor on this list to present to the CT OO Users Group (
www.cooug.org). These events are well attended.
Likewise, I am also a
I am attempting to figure out how other Fortune enterprises have went about
selling the need for secure coding practices and can't seem to find the answer
I seek. Essentially, I have discovered that one of a few scenarios exist (a)
the leadership chain was highly technical and intuitively
]
[mailto:[EMAIL PROTECTED] Behalf Of McGovern, James F
(HTSC, IT)
Sent: Thursday, March 08, 2007 11:17 AM
To: SC-L@securecoding.org
Subject: [SC-L] Information Protection Policies
Hopefully lots of the consultants on this list have been wildly successful in
getting Fortune enterprises to embrace secure
Hopefully lots of the consultants on this list have been wildly successful in
getting Fortune enterprises to embrace secure coding practices. I am curious to
learn of those who have also been successful in getting these same Fortune
enterprises to incorporate the notion of secure coding
If you have two individuals, one of which has been practicing secure coding
practices and encouraging others to do so for years while another individual
was involved with firewalls, intrusion detection, information security policies
and so on, are they both information security professionals or
A [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 08, 2007 2:07 PM
To: Gunnar Peterson; McGovern, James F (HTSC, IT)
Cc: SC-L@securecoding.org
Subject: RE: [SC-L] What defines an InfoSec Professional?
The right answer is both IMO. You need the thinkers, integrators, and
operators to do it right
I learned through the grapevine that folks from Network Computing will be doing
an upcoming article and comparison of tools in the secure coding space. If you
are a vendor, it would be wise to make sure your marketing folks are
participating. The funny thing is that I wouldn't expect it to
: Tuesday, January 02, 2007 1:35 PM
To: McGovern, James F (HTSC, IT); sc-l@securecoding.org
Subject: RE: [SC-L] Building Security In vs Auditing
Hi all,
Very good questions.
I think a service like the one you describe would be useful mostly as a way of
identifying the depth of the problem
which invalidates
the above.
-Original Message-
From: Temin, Aaron L. [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 21, 2006 1:38 PM
To: McGovern, James F (HTSC, IT); Secure Coding
Subject: RE: [SC-L] Compilers
It would be worth knowing more about the basis you use for drawing
I read a recent press release in which a security vendor (names removed to both
protect the innocent along with the fact that it doesn't matter for this
discussion ) partnered with a prominent outsourcing firm. The press release was
carefully worded but if you read into what wasn't said, it was
-From: Gunnar Peterson
[mailto:[EMAIL PROTECTED]Sent: Friday, June 09, 2006 8:48
AMTo: Brian Chess; Secure Mailing List; McGovern, James F (HTSC,
IT)Subject: Re: [SC-L] RE: Comparing Scanning
ToolsRight, because their customers (are starting to)
demand more secure code from
quality.
-Original Message-
From: Gunnar Peterson [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 08, 2006 9:28 AM
To: McGovern, James F (HTSC, IT)
Cc: Secure Mailing List
Subject: Re: [SC-L] Comparing Scanning Tools
Hi James,
I think you are right to look at it as economic issue
To: McGovern, James F (HTSC, IT)
Cc: sc-l@securecoding.org
Subject: Re: [SC-L] Comparing Scanning Tools
| Date: Mon, 5 Jun 2006 16:50:17 -0400
| From: McGovern, James F (HTSC, IT) [EMAIL PROTECTED]
| To: sc-l@securecoding.org
| Subject: [SC-L] Comparing Scanning Tools
|
| The industry analyst
The industry analyst take on tools tends to be slightly different than software
practitioners at times. Curious if anyone has looked at Fortify and has formed
any positive / negative / neutral opinions on this tool and others...
Would love to see Gary address a couple of behaviors I have seen in my travel
amongst architect types in corporate America especially the practice of secure
application protocol design that isn't so secure. Is anyone writing/blogging
deeply on this aspect?
Likewise, there are many folks in
57 matches
Mail list logo