At 9:46 AM -0500 1/2/07, McGovern, James F (HTSC, IT) wrote: > I read a recent press release in which a security vendor (names removed > to both protect the innocent along with the fact that it doesn't matter > for this discussion ) partnered with a prominent outsourcing firm. The > press release was carefully worded but if you read into what wasn't said, > it was in my opinion encouraging something that folks here tend to fight > against. The outsourcing firm would use this tool in an auditing capacity > for whatever client asked for another service but it would not become > part of the general software development lifecycle for all projects. > > - It didn't mention any notion of all developers within the outsourcing > firm having tools on their desktop to audit as they develop
>From the information supplied, it is not clear that the tool is something appropriate for the development environment. I develop a tool that could be used in a (certain) development environment, but that would only tell how the development environment was secured, having no effect on the degree to which the outsourced code was secure. > - It didn't mention any notion of training all developers within the > outsourcing firm on secure coding practices >From the information supplied, it is not clear that the security vendor is one that would be involved in training anyone. Limitations on a joint press release (one that names another company) are subject to severe negotiations. Even if the security firm _was_ going to do what you suggest, I can see a PR flack at the outsourcing firm resisting any public suggestion that any of their staff needed further training on any aspect of data processing. -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________